From patchwork Tue May 5 16:57:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87523 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 366BBCD3443 for ; Tue, 5 May 2026 16:58:53 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1043.1778000325685321965 for ; Tue, 05 May 2026 09:58:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=XYlbAKah; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4891c0620bcso39278055e9.1 for ; Tue, 05 May 2026 09:58:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000324; x=1778605124; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n0DxGtVrS6s6NwxRitpSqt3yFb/+CVLfvDpVAbubH0Y=; b=XYlbAKahdIpbQRltVXyL72yXoNR3JwCzYJoK3w5Pz/lxhudQXjwFgdeHTqqU88t89w e3vnsk9w1PTmyl8IZpLwakd1+tf13fd8zLWXRaOg7+pSU0FmvF7Rs/Ngmp1+bdqPBXds 98Aickf08XFk+v9aXyAiYcKb48240y+FTAXAk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000324; x=1778605124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=n0DxGtVrS6s6NwxRitpSqt3yFb/+CVLfvDpVAbubH0Y=; b=qpWVT/tJTsJbrhi3zJ8BVfN9DpSXdocleMtxa0O8NukGNITnUVZIFPa4w8Q6SrCUo9 FOlK/BiQoXgJx2N9a4RHYuK8Epy9eOY2jwjL6hCVeaGKmQcRS54Onka9mvn+vktvqNXR /CHheaa46kc9Pnu/nsW6xotfUpU8qGusw3RzE9bB3ZXhCCz1NnZOE6tJj8I2xvGfOzLI DPTYFS5OT4WnGH6961Pc8TDr0oErvsrdT5KHEtdWrwPxLHRrhC89DNHdc6R90EWwxmYo +g9INEFqJoFLqccIOKU2WdfK/L3ikgL6kgbjOo/V/Uc6yUdT5LzHaRFasinDGZfX+cGL yYsA== X-Gm-Message-State: AOJu0YwQUf+tAY/WbMnhv1aDNQe8/WYCeCy8s5iYrpm0znJGU3oxg8y+ bJVzko06hhHyNsseCOq3nMSJqP8YrxtXrZEBUHing3vSKe2F33BOvysGZgCX5MtiSWVuvyuOxXT TH5fRViY= X-Gm-Gg: AeBDievkF5fiRoWX5X2Pplkml/TGK38eGsqo/aacLwnewIJIMWcvkO1LIeGf+GqWxwG OwSUAqBY+AVhXyMJnLtcIqoK4IBPwH4uBfpkKTxwkSATXCbPpe0vIBS3OzGlQ+DgJzrPNhc720R w2BWL1NGttHPJCf11nhWbWomR5f0XxcGneH9cfa1+rhvSWdz06p+0s+71W5b5OHPlzjncvfjN5I Lt3aHleXv0NyfprmeamhQWE3z0T3uCWZATmMYKUJlCJYZr5zUhCTyQMTilDXX0LNR4adKO8jqng 6aL/VnrKn8EutuAVp/g+cjP05qSxqMQl0xFEutD6aKy7p6oCex6baVv3fBHVc4BurR4aSLOINRe k6epD1xOtwttb4MFwaFRwLs1r2WLUVXdsOf7vFm+KMzphikxJ6U7MToDg+dcZu2zb3DzDKptrcg UrGx+VpkOtLjku/o8v0dKR80t4NLkWNzIsshqPlayYVTd0gwaTUvWKzwPYy/X9/TjrSSA313vBb fkMW/oG3BkarOG4EsdfkWjMZg== X-Received: by 2002:a05:600c:c4a3:b0:489:1cd2:610a with SMTP id 5b1f17b1804b1-48e51f258damr873135e9.9.1778000322184; Tue, 05 May 2026 09:58:42 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:41 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/23] libpng: fix CVE-2026-33636 Date: Tue, 5 May 2026 18:57:18 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236493 From: Sudhir Dumbhare Pick the patch [1] as mentioned in [2]. [1] https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-33636 Reference: https://security-tracker.debian.org/tracker/CVE-2026-33636 https://www.suse.com/security/cve/CVE-2026-33636.html Signed-off-by: Sudhir Dumbhare Signed-off-by: Fabien Thomas --- .../libpng/files/CVE-2026-33636.patch | 99 +++++++++++++++++++ .../libpng/libpng_1.6.42.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch new file mode 100644 index 0000000000..3bd6aae2a4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch @@ -0,0 +1,99 @@ +From 9ff847dfcbb54f6dee3fd4e408150ae944278391 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Sat, 21 Mar 2026 23:48:49 +0200 +Subject: [PATCH] fix(arm): Resolve out-of-bounds read/write in NEON palette + expansion + +Both `png_do_expand_palette_rgba8_neon` and +`png_do_expand_palette_rgb8_neon` advanced in fixed-size chunks without +guarding the final iteration, allowing out-of-bounds reads and writes +when the row width is not a multiple of the chunk size. + +Restrict the NEON loop to full chunks only, remove the now-unnecessary +post-loop adjustment, and undo the `*ddp` pre-adjustment before the +pointer handoff to the scalar fallback. + +CVE: CVE-2026-33636 +Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3] + +Reported-by: Amemoyoi +Co-authored-by: Amemoyoi +Signed-off-by: Cosmin Truta +(cherry picked from commit aba9f18eba870d14fb52c5ba5d73451349e339c3) +Signed-off-by: Sudhir Dumbhare +--- + arm/palette_neon_intrinsics.c | 29 +++++++++++++---------------- + 1 file changed, 13 insertions(+), 16 deletions(-) + +diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c +index 92c7d6f9f..bdd15849d 100644 +--- a/arm/palette_neon_intrinsics.c ++++ b/arm/palette_neon_intrinsics.c +@@ -1,7 +1,7 @@ + + /* palette_neon_intrinsics.c - NEON optimised palette expansion functions + * +- * Copyright (c) 2018-2019 Cosmin Truta ++ * Copyright (c) 2018-2026 Cosmin Truta + * Copyright (c) 2017-2018 Arm Holdings. All rights reserved. + * Written by Richard Townsend , February 2017. + * +@@ -80,7 +80,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint32x4_t cur; + png_bytep sp = *ssp - i, dp = *ddp - (i << 2); +@@ -90,13 +90,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info, + cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3); + vst1q_u32((void *)dp, cur); + } +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } + +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 4 - 1); + *ssp = *ssp - i; + *ddp = *ddp - (i << 2); + return i; +@@ -121,7 +120,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + /* Seeking this back by 8 pixels x 3 bytes. */ + *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1); + +- for (i = 0; i < row_width; i += pixels_per_chunk) ++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk) + { + uint8x8x3_t cur; + png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i); +@@ -136,13 +135,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info, + vst3_u8((void *)dp, cur); + } + +- if (i != row_width) +- { +- /* Remove the amount that wasn't processed. */ +- i -= pixels_per_chunk; +- } +- +- /* Decrement output pointers. */ ++ /* Undo the pre-adjustment of *ddp before the pointer handoff, ++ * so the scalar fallback in pngrtran.c receives a dp that points ++ * to the correct position. ++ */ ++ *ddp = *ddp + (pixels_per_chunk * 3 - 1); + *ssp = *ssp - i; + *ddp = *ddp - ((i << 1) + i); + return i; +-- +2.44.4 + diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb index 7471315fdd..923ed79896 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb @@ -24,6 +24,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz file://CVE-2026-22695.patch \ file://CVE-2026-22801.patch \ file://CVE-2026-25646.patch \ + file://CVE-2026-33636.patch \ " SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450" From patchwork Tue May 5 16:57:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87518 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC66BFF8855 for ; Tue, 5 May 2026 16:58:52 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1072.1778000325180759221 for ; Tue, 05 May 2026 09:58:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=3D5n0hUN; spf=pass (domain: smile.fr, ip: 209.85.128.52, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so53160865e9.0 for ; Tue, 05 May 2026 09:58:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000323; x=1778605123; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ElyNiWKJqqyxk/BSChtZrpcJkO8+HR6oMS+yVDz9Zts=; b=3D5n0hUN8/MCKmnwoHPUptZoG3BV1a1XDc9lzk+UOK1SXaIe0Hg2x+arEXPzKTR3pc 2DyT/uT0xfiYaiiIDgMw2Bk6hH+E9SoSwEOQSgabvzo91LFdOV31KvI8I4kbfspPWwFZ T3u57ImKrvMVQrO8Bn1BbebuHmMcWacWDrxig= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000323; x=1778605123; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ElyNiWKJqqyxk/BSChtZrpcJkO8+HR6oMS+yVDz9Zts=; b=J5AlyqdCgaJkzihit8mRMcgpLzB7ykpQP1qNJpKWxYRJlzS6n+GGWxJVWlj0rmf+wv UpG2xswxboTc9Uidts34a2LviuOF5apMaMcxbQd0as2u9RP2waAL5OB0FSVoWSJ2kSUc 9oXb+8c527wTUpuDcUmITKZDIHllbLl0XburgKzNiAWFIXp3TQgyps7oyQ4cSkafMq7u iGOPbWyxcgtRAyfgSS330PLqBJU8n4XI324jkl4R7yVAzzeL7nAQuAyrXs55vOK4cxr4 F24dkwCF1ZvIpjXa5UhFKPm8xyJF9PTm5n78iC+YlF5cgejwK/4g1LKJ0a0n0SuDd7ah fZtQ== X-Gm-Message-State: AOJu0YyFQtU+Mq17AqlAU620rfgbL7Gujmkjyyfciz9GTCj4jfi5+wI8 /Y/dUdVn7l3DYO1RUpEhfZWWNV7NpJS6VoX/x3kG9V0/qVZt2OqhOyyH1Hgv8m7AzRjsKPWAefP IbI9AZQo= X-Gm-Gg: AeBDievEaHajqGOSGdjWZaMzkYY3sOvyRf3/zgPXayzPrBzLK8ZRTfQSlToNzabJiA2 h7ldEpI1MjcJ8CeRmS4SQQls2csJQinaCOliRBvIhBPN8Lpv1mkc+O4SIaQcCp26wQrU4le3eT3 5gQTkD/f5T/2hvEkWpLeX6/36KPeFMDZarFxOc5E49HobanjInQbO9bijpCb9vdv9qDX7xdcbzH zD2Pva0jG1mPIDkp8pITZAFg7D2LvIo1u89dH4V5VPRiUnfzWTBBN/xmiTejZdDnJvHC8+Z4+MJ JeKbCSRClr1mxhFfHg5SceZn+vyXvhVY/3kchcvq1VSPJ6235+P5k1zq8rnoow/+A4co0cAEHQ5 JXj+oGbqR8/ld7LlR1nm2yM13lF9gKyt8ICW3B62EuhejPApBuD2n+nylqvTe3qF1gY5JfmB04A vr0q23pyW3VTIq7mYlc8CN2lRsOrWJKTdqrLySAcZfsjA3iEC/sx26FiQYqgWFHD2q3VnbC5bEc tj0yyGtfmcDgwC5eXayJHWUxw== X-Received: by 2002:a05:600c:4e0c:b0:48a:55d8:7882 with SMTP id 5b1f17b1804b1-48e51e16e58mr1834665e9.9.1778000323117; Tue, 05 May 2026 09:58:43 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:42 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/23] binutils: fix CVE-2025-69647 Date: Tue, 5 May 2026 18:57:19 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236492 From: Adarsh Jagadish Kamini Backport upstream fix for CVE-2025-69647 [1]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Fabien Thomas --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-69647.patch | 85 +++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index 096ccf42c2..fcbe7fbfab 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -72,5 +72,6 @@ SRC_URI = "\ file://0028-CVE-2025-11494.patch \ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ + file://CVE-2025-69647.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch new file mode 100644 index 0000000000..8e3c1c79e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch @@ -0,0 +1,85 @@ +From c87ed59208e1ce665f08ae2b2d8c1cdc2a653ea2 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 22 Nov 2025 09:52:18 +1030 +Subject: [PATCH] PR 33639 .debug_loclists output + +The fuzzed testcase in this PR prints an almost endless table of +offsets, due to a bogus offset count. Limit that count, and the total +length too. + + PR 33639 + * dwarf.c (display_loclists_unit_header): Return error on + length too small to read header. Limit length to section + size. Limit offset count similarly. + +CVE: CVE-2025-69647 + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7] + +Signed-off-by: Adarsh Jagadish Kamini +--- + binutils/dwarf.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 72bc9d7497a..06d68074046 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -7221,8 +7221,6 @@ display_loclists_unit_header (struct dwarf_section * section, + bool is_64bit; + uint32_t i; + +- printf (_("Table at Offset %#" PRIx64 "\n"), header_offset); +- + SAFE_BYTE_GET_AND_INC (length, start, 4, end); + if (length == 0xffffffff) + { +@@ -7231,6 +7229,11 @@ display_loclists_unit_header (struct dwarf_section * section, + } + else + is_64bit = false; ++ if (length < 8) ++ return (uint64_t) -1; ++ ++ printf (_("Table at Offset %#" PRIx64 "\n"), header_offset); ++ header_offset = start - section->start; + + SAFE_BYTE_GET_AND_INC (version, start, 2, end); + SAFE_BYTE_GET_AND_INC (address_size, start, 1, end); +@@ -7243,15 +7246,21 @@ display_loclists_unit_header (struct dwarf_section * section, + printf (_(" Segment size: %u\n"), segment_selector_size); + printf (_(" Offset entries: %u\n"), *offset_count); + ++ if (length > section->size - header_offset) ++ length = section->size - header_offset; ++ + if (segment_selector_size != 0) + { + warn (_("The %s section contains an " + "unsupported segment selector size: %d.\n"), + section->name, segment_selector_size); +- return (uint64_t)-1; ++ return (uint64_t) -1; + } + +- if ( *offset_count) ++ uint64_t max_off_count = length >> (is_64bit ? 3 : 2); ++ if (*offset_count > max_off_count) ++ *offset_count = max_off_count; ++ if (*offset_count) + { + printf (_("\n Offset Entries starting at %#tx:\n"), + start - section->start); +@@ -7268,8 +7277,7 @@ display_loclists_unit_header (struct dwarf_section * section, + putchar ('\n'); + *loclists_start = start; + +- /* The length field doesn't include the length field itself. */ +- return header_offset + length + (is_64bit ? 12 : 4); ++ return header_offset + length; + } + + static int +-- +2.34.1 + From patchwork Tue May 5 16:57:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87522 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16971CD343B for ; Tue, 5 May 2026 16:58:53 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1075.1778000326399069299 for ; Tue, 05 May 2026 09:58:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=O/v5lyYL; spf=pass (domain: smile.fr, ip: 209.85.128.50, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4891d7164ddso29687665e9.3 for ; Tue, 05 May 2026 09:58:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000324; x=1778605124; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XiXjkK179qYhi1LTZjiC3ZKLTOYp5waxECb913XKmyY=; b=O/v5lyYLMOczvA5j8XtrxPA6UzNrvWPcjD/LKO5lHtXxC6yVNZ/xDMwuhn15UlfSrk XgFw6RKHcY6TgztnmeS3PgosN0Xp6VUS+DbrXzuNCo6ScPGFFlmThTmQ4qGMRuN43g68 yqB2ZaaqkLlaTzH0SO/8lf95vPrlWri9Vp9hw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000324; x=1778605124; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=XiXjkK179qYhi1LTZjiC3ZKLTOYp5waxECb913XKmyY=; b=hLGHXC5reD5nEzzr7ZS7THhPA6rBm2MGUlmyMwhOfIuzAc6rQBRSosSCE1vnuzx5mv +wXc46q78HzHlMaeGlyNiFepmvTKsd8tVw5GI+KRvPbwlTyuUIzDfLBQrpNXjHB/94Tx FEwZAPAgnUeYVdrO81VyU2Y7fJtV1dSLlqu9YnavyasUtlfsoNSg1q/k59VIlmpfuX7W 9qY5LSLwa31brRPZBTVrg7wzth+kfJODnteOYYmE13N1pD8k0iMCGBWlBcAQRgaXXEN6 BDflb+5fgtpdujkEZJnWRHESKiV3yUa8nDxD7jfPjBaROHZt+Sl2amqHSJBDkEx89vrm 9OJw== X-Gm-Message-State: AOJu0YxdyfUN6IGGoXJaSZUvF5vyf+nYIlWBkueGIFaqw911ylR6SN1E a1ApDMQL05+BmKCZoNT2TN7vp4sbxIfMpcfNbBfS912Rdz/EdNRCM4+QORMVpmeyb0t16qz4IYD q5A9w7gY= X-Gm-Gg: AeBDiesfZ0OyyvyCMzSNlQk9+c96VwNQ3+ltMIBni3lZNP5yLyelMN7YOChoNKKBN0s PCJa6Q91gp1qt34xOlHupxgDvdt9A8SNT+BhOfS103yb+nAKi9tTfkXkcm6kA9EDVKw3mDq+0Vc gibtpYhZxgnZfWHKzqodK/jaPdYKqvPlX0OoLDcrfbSfRI4lhpGqbMsKqOBTRpaU84Av5M+Po9s rWA+v4j30d9pqGDz+YGTJBPkGj7ghYP6ox0PHK/uJDOZlvh3uJ6J/Ht3PSKB8CAJ+Yd7lzx3raD kVKuIOCNM6Iu1GybSaaG5wmBpU1yMRXwO2pHlMryQ1QnK0fNL8PDXW0uf6bwqXEwmKLAfyYgKvh bfQsfBkKgsScLGFM8aJ2157lkBDCPj6yOfPU31VXLt82UxoiW5YDsCirOp+OpJ/YBT7eId7lqHL qEi6gte2T27pSuz2iGw0JvdYzwHV/B68eAwXOKVdpPHRy7EFCRYnKkNbTSDOE4BR/Go8VBeXOOM geTEX3zTNL1MY3u0R1ePFtZdA== X-Received: by 2002:a05:600c:608f:b0:48d:35e:84a0 with SMTP id 5b1f17b1804b1-48e51f4a29emr711485e9.28.1778000324390; Tue, 05 May 2026 09:58:44 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:43 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/23] binutils: fix CVE-2025-69648 Date: Tue, 5 May 2026 18:57:20 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236494 From: Adarsh Jagadish Kamini Backport upstream fix for CVE-2025-69648 [1]. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33 Signed-off-by: Adarsh Jagadish Kamini Signed-off-by: Fabien Thomas --- .../binutils/binutils-2.42.inc | 1 + .../binutils/binutils/CVE-2025-69648.patch | 190 ++++++++++++++++++ 2 files changed, 191 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc index fcbe7fbfab..1a865c45f4 100644 --- a/meta/recipes-devtools/binutils/binutils-2.42.inc +++ b/meta/recipes-devtools/binutils/binutils-2.42.inc @@ -73,5 +73,6 @@ SRC_URI = "\ file://0029-CVE-2025-11839.patch \ file://0030-CVE-2025-11840.patch \ file://CVE-2025-69647.patch \ + file://CVE-2025-69648.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch new file mode 100644 index 0000000000..e04d7ed6c2 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch @@ -0,0 +1,190 @@ +From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Sat, 22 Nov 2025 09:22:10 +1030 +Subject: [PATCH] PR 33638, debug_rnglists output + +The fuzzed testcase in this PR continuously outputs an error about +the debug_rnglists header. Fixed by taking notice of the error and +stopping output. The patch also limits the length in all cases, not +just when a relocation is present, and limits the offset entry count +read from the header. I removed the warning and the test for relocs +because the code can't work reliably with unresolved relocs in the +length field. + + PR 33638 + * dwarf.c (display_debug_rnglists_list): Return bool. Rename + "inital_length" to plain "length". Verify length is large + enough to read header. Limit length to rest of section. + Similarly limit offset_entry_count. + (display_debug_ranges): Check display_debug_rnglists_unit_header + return status. Stop output on error. + +CVE: CVE-2025-69648 +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33] + +(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33) +Signed-off-by: Deepak Rathore +Signed-off-by: Adarsh Jagadish Kamini +--- + binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------ + 1 file changed, 34 insertions(+), 33 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index f4bcb677761..b4fb56351ec 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start, + return start; + } + +-static int ++static bool + display_debug_rnglists_unit_header (struct dwarf_section * section, + uint64_t * unit_offset, + unsigned char * poffset_size) +@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + uint64_t start_offset = *unit_offset; + unsigned char * p = section->start + start_offset; + unsigned char * finish = section->start + section->size; +- uint64_t initial_length; ++ unsigned char * hdr; ++ uint64_t length; + unsigned char segment_selector_size; + unsigned int offset_entry_count; + unsigned int i; +@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + unsigned char offset_size; + + /* Get and check the length of the block. */ +- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish); ++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish); + +- if (initial_length == 0xffffffff) ++ if (length == 0xffffffff) + { + /* This section is 64-bit DWARF 3. */ +- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish); ++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish); + *poffset_size = offset_size = 8; + } + else + *poffset_size = offset_size = 4; + +- if (initial_length > (size_t) (finish - p)) +- { +- /* If the length field has a relocation against it, then we should +- not complain if it is inaccurate (and probably negative). +- It is copied from .debug_line handling code. */ +- if (reloc_at (section, (p - section->start) - offset_size)) +- initial_length = finish - p; +- else +- { +- warn (_("The length field (%#" PRIx64 +- ") in the debug_rnglists header is wrong" +- " - the section is too small\n"), +- initial_length); +- return 0; +- } +- } +- +- /* Report the next unit offset to the caller. */ +- *unit_offset = (p - section->start) + initial_length; ++ if (length < 8) ++ return false; + + /* Get the other fields in the header. */ ++ hdr = p; + SAFE_BYTE_GET_AND_INC (version, p, 2, finish); + SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish); + SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish); + SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish); + + printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset); +- printf (_(" Length: %#" PRIx64 "\n"), initial_length); ++ printf (_(" Length: %#" PRIx64 "\n"), length); + printf (_(" DWARF version: %u\n"), version); + printf (_(" Address size: %u\n"), address_size); + printf (_(" Segment size: %u\n"), segment_selector_size); + printf (_(" Offset entries: %u\n"), offset_entry_count); + ++ if (length > (size_t) (finish - hdr)) ++ length = finish - hdr; ++ ++ /* Report the next unit offset to the caller. */ ++ *unit_offset = (hdr - section->start) + length; ++ + /* Check the fields. */ + if (segment_selector_size != 0) + { + warn (_("The %s section contains " + "unsupported segment selector size: %d.\n"), + section->name, segment_selector_size); +- return 0; ++ return false; + } + + if (version < 5) + { + warn (_("Only DWARF version 5+ debug_rnglists info " + "is currently supported.\n")); +- return 0; ++ return false; + } + ++ uint64_t max_off_count = (length - 8) / offset_size; ++ if (offset_entry_count > max_off_count) ++ offset_entry_count = max_off_count; + if (offset_entry_count != 0) + { + printf (_("\n Offsets starting at %#tx:\n"), p - section->start); +@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section, + } + } + +- return 1; ++ return true; + } + + static bool +@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section, + uint64_t last_offset = 0; + uint64_t next_rnglists_cu_offset = 0; + unsigned char offset_size; ++ bool ok_header = true; + + if (bytes == 0) + { +@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section, + /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */ + if (is_rnglists && next_rnglists_cu_offset < offset) + { +- while (next_rnglists_cu_offset < offset) +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size); ++ while (ok_header && next_rnglists_cu_offset < offset) ++ ok_header = display_debug_rnglists_unit_header (section, ++ &next_rnglists_cu_offset, ++ &offset_size); ++ if (!ok_header) ++ break; + printf (_(" Offset Begin End\n")); + } + +@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section, + } + + /* Display trailing empty (or unreferenced) compile units, if any. */ +- if (is_rnglists) ++ if (is_rnglists && ok_header) + while (next_rnglists_cu_offset < section->size) +- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size); +- ++ if (!display_debug_rnglists_unit_header (section, ++ &next_rnglists_cu_offset, ++ &offset_size)) ++ break; + putchar ('\n'); + + free (range_entries); +-- +2.35.6 + From patchwork Tue May 5 16:57:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED737CD3441 for ; Tue, 5 May 2026 16:58:52 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1076.1778000327731888532 for ; Tue, 05 May 2026 09:58:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=z0IlgVrQ; spf=pass (domain: smile.fr, ip: 209.85.128.49, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48d102471a4so22241005e9.2 for ; Tue, 05 May 2026 09:58:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000326; x=1778605126; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TWhucAe1nmwi1xosahyfMtEQF1x9iNOUWp6y2UEoG4Q=; b=z0IlgVrQ71Gh6WnYNv/6qH1POKftJ/BlJF9CnL8AN7s2YfXvg6RLC3UV16ywL8Awy/ 7uNqeFGlF8M8CV8F2fey6Je/S9ypJl5Ep7/iGnlByr3Ofz6j35hHLvB343LKlfXAvlVd 8P7/D/Xq+8g7LAme1vA8dy3CexDYNG7zqQ4E8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000326; x=1778605126; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=TWhucAe1nmwi1xosahyfMtEQF1x9iNOUWp6y2UEoG4Q=; b=Fb9FTOF+8B/JVDBiYCKL7C4TVLrlC2rBXx2HUVDtBLP24SByxl7u3MC/6AjvjXDMw8 NQ+NFjCO7NfGVDYs8NvHH9uRDz31/32UZGAyvB7GKOZXZq1ZVcaHcFSV8LtJbSv+/57J WupLvYejcDFyLksjMD5+MR72Q6+KDED72PSspJgAuGzy0/nQ1nCMgFjNH8j4V8yD5i2M 8pkPLhbDpLN74q3q/WMcWNAFZf+PnkniOeTsNZ9bhZjUM618OdVro/LiTZ1o0sk5E5xa WF963KHz54752qCKUsUy1xzixXQ0GrJNyo4/s3r8l3pTNz9LaOizvBWUQLNJT0eHQrO7 wFow== X-Gm-Message-State: AOJu0YyX4xKUFd38ehpFWcXAd1nLa65EWvAqVvh6f2duQwoInG1hwZ69 B2AdAbMgy+P3u7pxoyRN340r7dsrz4TOsU8HhHwn9l8CUZWk1W3q+q7a9ZwurXxiuhhmNJzQyEs V2lkSvu8= X-Gm-Gg: AeBDiesLKlUHY6Lcugbli7yZC0rjvreYPKwglUxfq4GbtVHd8f+MiYOy2H+MQ8nxz50 JSzjLJMDyPAlkpsaZYZKpYwCAxti6wZRfkKkes3VdZURBcAHsJCs1IfV8AmvhAFsJajzHTe9GeD CZre8hdiSfrNa3lZyppGvxmiTLoNb0xmwV4hZNHiA8IqX4tAsXg7cfdaIEF8EAubMtzBEflVW2l nExA0nJmX6xfZaqfePTLnLYvUjkp9prrQPS89JONc+hvcpLsmLVKMK59rdxsuOJkhGo6L6nWxFg VKrkwyQqjNLyYMEYo4MpWyjhLYQwLKEhYozQi6itW35YQuvol8UYZD3BL8059Bqp2YeoSaCo59X YwMnQGdBrzcZMQk6TxN8tK0VRrnY+ani+6DNz0qgM5Tl/etZeKZVK421Wup5wmexkCarQtgpp34 dSlvy0w0+m49Y6hxl/5dHi9fd/f4fNh6PjbEYYdHfdyHig0StgLF0yNFFLIgr4xh4tXE+J7yu3B 4t3m7viVL88MksB0e/0tqWumsvWsbJN85eW X-Received: by 2002:a05:600c:8b04:b0:47e:e2eb:bc22 with SMTP id 5b1f17b1804b1-48e51f183demr1231275e9.5.1778000325841; Tue, 05 May 2026 09:58:45 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:44 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/23] dbus: gate user-session PACKAGECONFIG on systemd in DISTRO_FEATURES Date: Tue, 5 May 2026 18:57:21 +0200 Message-ID: <5550d6eadb2fea1ecb13e035a04a57450510441f.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236495 From: Jhonata Poma-Hansen On scarthgap images built without systemd in DISTRO_FEATURES, dbus still shipped dbus.socket and dbus.service under ${systemd_user_unitdir} (/usr/lib/systemd/user), because the 'user-session' PACKAGECONFIG was always enabled and passed --enable-user-session --with-systemduserunitdir=... to configure. In dbus-1.14.10 the user-session autoconf option (configure.ac and bus/Makefile.am 'if DBUS_ENABLE_USER_SESSION') only installs systemd user units; it has no non-systemd effect. Enabling it on a sysvinit image has no benefit and produces the stale unit files. Make user-session a systemd-gated PACKAGECONFIG by using bb.utils.contains in the default, so it is enabled when systemd is in DISTRO_FEATURES and disabled otherwise. No changes to the PACKAGECONFIG[user-session] or PACKAGECONFIG[systemd] entries are needed: --disable-user-session is passed on sysvinit builds, which prevents the configure/Makefile machinery from ever setting up the user-unit install step. This is the scarthgap equivalent of master commit a296b0623eb2 ("dbus: use the systemd class to handle the unit files"), adapted to the autotools 1.14.10 recipe. The master fix was broader because the meson 1.16.2 build handles unit-file install differently, which let that commit drop the manual do_install unit block, the systemctl mask postinst, and PACKAGE_WRITE_DEPS. On 1.14.10 those pieces are still needed; the minimal correct gate here is the user-session default. Fixes [YOCTO #15779] Signed-off-by: Jhonata Poma-Hansen Signed-off-by: Fabien Thomas --- meta/recipes-core/dbus/dbus_1.14.10.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/dbus/dbus_1.14.10.bb b/meta/recipes-core/dbus/dbus_1.14.10.bb index ffbf0780ed..e57a01478b 100644 --- a/meta/recipes-core/dbus/dbus_1.14.10.bb +++ b/meta/recipes-core/dbus/dbus_1.14.10.bb @@ -29,7 +29,7 @@ EXTRA_OECONF = "--disable-xml-docs \ EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl" PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \ - user-session \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'user-session', '', d)} \ " PACKAGECONFIG:class-native = "" PACKAGECONFIG:class-nativesdk = "" From patchwork Tue May 5 16:57:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E670CCD3427 for ; Tue, 5 May 2026 16:58:52 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1077.1778000328997643856 for ; Tue, 05 May 2026 09:58:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=pNc4DiXJ; spf=pass (domain: smile.fr, ip: 209.85.221.42, mailfrom: fabien.thomas@smile.fr) Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-43d77f6092eso3426061f8f.2 for ; Tue, 05 May 2026 09:58:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000327; x=1778605127; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OHDXrPP788jp0Tqxcv0hHqD41ui3LlCTVjz6D30ej6Y=; b=pNc4DiXJzz+bnu4CSi+Z/IquwpbqRfaeaS+Jy3dwvC5D19s/C3kig0wssI7qwPqfkP nLZX/vms6m2cGfQtJb7jCv/tdHABLm66STbSnZy5dneIQNpyOiWY8cJPXcr1lj690Xp1 g7mhCe/m4ajdCpGa23LFMdpSBKCENcNKEp3Bo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000327; x=1778605127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=OHDXrPP788jp0Tqxcv0hHqD41ui3LlCTVjz6D30ej6Y=; b=G7d5TZ9QmeSDEyN7jqvMPu3udLthzeFDMgMS/QnmaLhF11WhFueNkwkssg/kAut6zA OAh1B3EVg6LyhCD0z7SkV9JX22sY0lOrNkSKlStBBzVN3YxKcUbrn9XCqF1tedo58+Qr Vp0iW8iixmt6K9q2Ckj+eOY0jASglTUUkpEP2WsIpQre9IOAg0wLXGKbe7kTy5jK1jmL yGJCuOQyc62Hdwktic5ZygESywteZD+UeCPfHMi5foxeS5tT93FVDNxnpzxQuB0eGA7x QZR/OyFu8Rumi7oF0jQkCvC/BE1drAq2MMrqKDH6c52mWUHOwpGPrL/YTP04ww0sQlXw dtfA== X-Gm-Message-State: AOJu0YzdLHtkDl9tdpF7ktCafS72KOgVUQKJCasUplaYDlZ7K+iUQToO k3mCdPkPl1VLQDlulw9pgtH4qvJPVEl6FKx8P+XfegXsgoXAsyUxVwtXMUSfzSe/z3yUQO7FY+z WE5EjeDw= X-Gm-Gg: AeBDieuf2J9il9zWzIr10zl7MTbV4OAcuoMzF3acsIsxgxWKKpZfG4/Nrm5mriK9wQW A3BqKY5eS3JwGJOX/5Y+t3jJifINLqX24L26YdBADUWpefNOMyUzIk4SsoZT0rNrofsN6tB80Gz w8ZdlywHCIIpDU4yr5Tc2+BNkeJcXoP/9X1937k7Zkjt4cEY6hCavGgXDpEUUhMV9fc6mJ+DJHv GxFG4KtRAUCQoZFdKKYeKU93QY+W/Ww7iIh8h8uSV805/FfNJMpB8P5ThF2+OFKz8F0ZniKiwTb wnJgnAWSHvl6xhnLHdq3fZoHRMEGZYA1PU3gwOsITTBq+UY/PGIxN15XL4tlBArZ1rTUzoG9k2+ 1uJ9zWJp226PSG0HzjPPJuhwPJu9lp0vEp/K+vEwdG8wudgbiCVTZ5I6Tavb90i13MxNYDsdX8d mvsaeS8JgCqhUXNnWYnWQ5LQmshELQZ19jBjoiozAFBY9ebaS6fo8uBvuXape0p75M1YBiRy4B2 WAGo64Sg5Gr12xGOuHMauAv3w== X-Received: by 2002:a05:600c:17d8:b0:488:a797:f0ac with SMTP id 5b1f17b1804b1-48e51f46abemr459455e9.28.1778000326965; Tue, 05 May 2026 09:58:46 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:46 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/23] expat: patch CVE-2026-32776 Date: Tue, 5 May 2026 18:57:22 +0200 Message-ID: <3c4c2ee503f21f1888eeb130ac3150e489f1660e.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236496 From: Hugo SIMELIERE Pick patch from [1] also mentioned in [2]. [1] https://github.com/libexpat/libexpat/pull/1158 [2] https://security-tracker.debian.org/tracker/CVE-2026-32776 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Fabien Thomas --- .../expat/expat/CVE-2026-32776.patch | 91 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 1 + 2 files changed, 92 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32776.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-32776.patch b/meta/recipes-core/expat/expat/CVE-2026-32776.patch new file mode 100644 index 0000000000..96a869a7c8 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32776.patch @@ -0,0 +1,91 @@ +From 3340f971f2f92e499adf03156024105bb9bb7ed9 Mon Sep 17 00:00:00 2001 +From: Francesco Bertolaccini +Date: Tue, 3 Mar 2026 16:41:43 +0100 +Subject: [PATCH] Fix NULL function-pointer dereference for empty external + parameter entities + +When an external parameter entity with empty text is referenced inside +an entity declaration value, the sub-parser created to handle it receives +0 bytes of input. Processing enters entityValueInitProcessor which calls +storeEntityValue() with the parser's encoding; since no bytes were ever +processed, encoding detection has not yet occurred and the encoding is +still the initial probing encoding set up by XmlInitEncoding(). That +encoding only populates scanners[] (for prolog and content), not +literalScanners[]. XmlEntityValueTok() calls through +literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a +SEGV. + +Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd, +and initialize the `next` pointer before the early exit so that callers +(callStoreEntityValue) receive a valid value through nextPtr. + +CVE: CVE-2026-32776 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c] + +(cherry picked from commit 5be25657583ea91b09025c858b4785834c20f59c) +Signed-off-by: Hugo SIMELIERE +--- + lib/xmlparse.c | 9 ++++++++- + tests/basic_tests.c | 19 +++++++++++++++++++ + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index aa5e91e4..56faf2eb 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6777,7 +6777,14 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + return XML_ERROR_NO_MEMORY; + } + +- const char *next; ++ const char *next = entityTextPtr; ++ ++ /* Nothing to tokenize. */ ++ if (entityTextPtr >= entityTextEnd) { ++ result = XML_ERROR_NONE; ++ goto endEntityValue; ++ } ++ + for (;;) { + next + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ +diff --git a/tests/basic_tests.c b/tests/basic_tests.c +index 2a5e43d6..023d9ce4 100644 +--- a/tests/basic_tests.c ++++ b/tests/basic_tests.c +@@ -6210,6 +6210,24 @@ START_TEST(test_varying_buffer_fills) { + } + END_TEST + ++START_TEST(test_empty_ext_param_entity_in_value) { ++ const char *text = ""; ++ ExtOption options[] = { ++ {XCS("ext.dtd"), "" ++ ""}, ++ {XCS("empty"), ""}, ++ {NULL, NULL}, ++ }; ++ ++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); ++ XML_SetExternalEntityRefHandler(g_parser, external_entity_optioner); ++ XML_SetUserData(g_parser, options); ++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE) ++ == XML_STATUS_ERROR) ++ xml_failure(g_parser); ++} ++END_TEST ++ + void + make_basic_test_case(Suite *s) { + TCase *tc_basic = tcase_create("basic tests"); +@@ -6456,6 +6474,7 @@ make_basic_test_case(Suite *s) { + tcase_add_test(tc_basic, test_empty_element_abort); + tcase_add_test__ifdef_xml_dtd(tc_basic, + test_pool_integrity_with_unfinished_attr); ++ tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_ext_param_entity_in_value); + tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements); + tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity); + tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity); +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index 048093f010..631aebe6ca 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -46,6 +46,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-25210-01.patch \ file://CVE-2026-25210-02.patch \ file://CVE-2026-25210-03.patch \ + file://CVE-2026-32776.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Tue May 5 16:57:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E17FCD3442 for ; Tue, 5 May 2026 16:58:53 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1047.1778000330525811636 for ; Tue, 05 May 2026 09:58:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=iZEy84KB; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-488e1a8ac40so53490335e9.2 for ; Tue, 05 May 2026 09:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000329; x=1778605129; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IHZDtO9EoBesYezMHgaDfLMKjRhIO+qeZINnAi5fbN0=; b=iZEy84KBsTazLlZTucmPjLZULI+HULUga1cqgcA1oMQCo9Z7btCuXjUzPM1ciOj57j 2OUuQDa5dtpZFWxZLmQVrUC1KFDdIgA2gaCBiEbM+bVvLJxFsjBGwjzgYm98xuYVvivC QmAqYzIGnG2St1z/i8xLkILjXd4miq0s3quV4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000329; x=1778605129; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=IHZDtO9EoBesYezMHgaDfLMKjRhIO+qeZINnAi5fbN0=; b=o7SPBPpJ0ezGD2921eTIVWIU0PFGuNZDq6lFF3VxfSqMsdT7djPWdNXMQTSO3yD4xz QjaI0o7dNPDHO/iph29LZqXxJHrvI/9OTf4JGhYAQbJxMAqG8tw1xWaHDtX2rluF/8dl +86pYNP9dMU1WeDhySDbEe8x7Su0JKOz08uHMNfr3ziZT4bMLwL3VHI82/QJ+2rLQ2lx 3U/C/vPT+ZaAqAqTo6XVryTYfAUXeAGBYWbJBU4TmLSprmLYRRW9OzoGsechhsvWkMl8 +c+/hDul3QH+wVcr5cTqHJpIiN/8k+HArW+SyeQJTxfnhe5GabHGZGpnhgfGMwSyIIgt nCjw== X-Gm-Message-State: AOJu0YzqZsn0vRISwwvHMFAY+G2S4wHl0s4+pDMLom0HK88NIcHgwiPJ 0sGnGMMGqg/v3uTR145Vz5kxVEtxhpxEXWQhGRKIv36NhEb7ze8YMfv95PnXfaC8Gsls1hgU2Mk Nv0IsMTI= X-Gm-Gg: AeBDieuTvMdDVjNmCC1m8ETgjeUf+yN0+5OTrcdA5YcIRJz6ewWUcCaLmtkcVw7vfVO MQubIqX+tEKEWiaMe4a+rK2wrBiELkQO0ecvHJXHOEGlJMEVShiym//Bs0fnA8Gs+vRygh1MWzQ Y7xJqLF0W6O9gdmRscC3hyJL8ekEvxJaYoTfg0OJpdobzqa7rKV0R6hXTh5dBqembRqDqWEYrxX gM6FPHYKk/aoH1q7VgGKbRTJPeCzFEstZ3v82XwCmPO/q/aAKZ0Cdnj3VwjoDxp+YI/IbBvrWs4 ck+7yn3d2wTYjqISB5ybXoqQl5Wo7/twT90JfR56v6qMTYXDiNXtswmCIy6xRjUyQt/ZQsbxyXC U8KFXqmrrfje6yyn+d2GKDaTh11GChSRv/LT2CGw2fn1Z1QU+Ok3oH6VxB5dYnDN8Fwo+K51MT7 UkQdeL6DteQaWl3npov889L51I/OaVrqSqFwMj+rq4c3/UIKa65z34tHkl25zGuUjCHidVZ9+5p y/r11MRWkkrk81dO99jakY1PA== X-Received: by 2002:a05:600c:1d18:b0:489:1a63:509c with SMTP id 5b1f17b1804b1-48e51dd689fmr2056995e9.0.1778000328450; Tue, 05 May 2026 09:58:48 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:47 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/23] expat: patch CVE-2026-32777 Date: Tue, 5 May 2026 18:57:23 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236497 From: Hugo SIMELIERE Pick patches from [1] also mentioned in [2]. [1] https://github.com/libexpat/libexpat/pull/1162 [2] https://security-tracker.debian.org/tracker/CVE-2026-32777 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Fabien Thomas --- .../expat/expat/CVE-2026-32777-01.patch | 49 ++++++++++++++ .../expat/expat/CVE-2026-32777-02.patch | 66 +++++++++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 117 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-02.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch new file mode 100644 index 0000000000..50ba27dcd4 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch @@ -0,0 +1,49 @@ +From a6e6cf7c30e54402b2fa3c49f9d98702e74f8c34 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 1 Mar 2026 20:16:13 +0100 +Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in + entityValueProcessor + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02] + +(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02) +Signed-off-by: Hugo SIMELIERE +--- + lib/xmlparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 56faf2eb..bfb8ac58 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5077,7 +5077,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + } + /* If we get this token, we have the start of what might be a + normal tag, but not a declaration (i.e. it doesn't begin with +- " +Date: Fri, 6 Mar 2026 18:31:34 +0100 +Subject: [PATCH 2/2] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop + case + +.. that OSS-Fuzz/ClusterFuzz uncovered + +CVE: CVE-2026-32777 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8] + +(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8) +Signed-off-by: Hugo SIMELIERE +--- + tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/tests/misc_tests.c b/tests/misc_tests.c +index 07902d52..cdcdd507 100644 +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -713,6 +713,35 @@ START_TEST(test_misc_async_entity_rejected) { + } + END_TEST + ++START_TEST(test_misc_no_infinite_loop_issue_1161) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ ++ const char *text = ""; ++ ++ struct ExtOption options[] = { ++ {XCS("secondary.txt"), ++ ""}, ++ {XCS("tertiary.txt"), " X-Patchwork-Id: 87519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDE81CD3439 for ; Tue, 5 May 2026 16:58:52 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1048.1778000331586615544 for ; Tue, 05 May 2026 09:58:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=m9zuyKRS; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-48909558b3aso60058815e9.0 for ; Tue, 05 May 2026 09:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000330; x=1778605130; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NS1v5HGa4iyu1KmJ5rEKcRlmJa+UAZuNGT92ecVz4pk=; b=m9zuyKRSpg7+Bdnx/lVaJwCjOVvsCNiIINyK3yasrErkgas8On8LeYjs3plUhzHh0x 47DEVvM/0hw6SYq71Hk2a85p3bXjMqDNXs19qZ065MRxeoaZSBV9hsxn352RhZS1HpI0 2jwEeKXPKKPJOm1AU1myhg3DpbsAhCJGd/3l8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000330; x=1778605130; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=NS1v5HGa4iyu1KmJ5rEKcRlmJa+UAZuNGT92ecVz4pk=; b=W4cTzvheyy9ZDpQnNbD2V94BtqtVZTHS5AUQrF8wMpQKd5GgfLNj14Uic3QrYlJMPU /6yJ4rUO++BnqsqOCAMIrxr4q9L4aO3XA8zz3mMLe10Lew0ucD6wgT3oEmVi0bGBxjTM A08sSD2owa1S39MlEwpaKpV0kN1DIR03tj1RJnvC9YOjPlh3njU6AqMazobnLFGqM1KH VJhTV22t+aOO75+o0dQx1vQiNrru0L5wT5zlAyQD4zGv5CIk8ZAVJHEUiNCmHVgqbo21 l1DQ+gJxAlx+HtyttzRhA0EIGNM9yGHRMLngObl4GHFeVXQmRP9JD7HvcOzEZslEPzDu aamw== X-Gm-Message-State: AOJu0YzSFCosieT9PX8H5/xS5rFMpNEqPwcP5RwBGlk1oBwZr4y+FbF6 Lzy1wzdax0wslG2qsiLWL9UrQ5a8KJ1iJ3cjcUleuUv1RV0/paC52AyEal0wXTf6L77UUccP1Je 7CoduEac= X-Gm-Gg: AeBDievV/9xyTukWJUtzkvHHf1I2KG55qKlcikH5JzPUOmTMj17UU6sm2HlSdMIZY6K 0C4iAac8GRQZDhDUpr33Uzekdyt1LhSYD5zixo5uQHQPrQl2RvHIDvYxpm9a8hDww/sev9R8f61 o/6TykrMtxaKtvo2nQp+aZ4HgiVS+eWKJko1RPD3QPR0NMIN7EVF/XSacKd3+D7J6tMs4RDC8eA InkHRPtYnjfmmmXN7kvyD/A54FouwAH2yfINvLG4MlilIul4Tlo3fIs692uY2GZqETlwYyBjZLj Vk+UYHbYdqX006bQ/Q+IkPbiAy03ddWHxezRt81iLjuBJYE3GIpRamhxmF3m39udY1f17S13FnU /X0y50wCdOFoYAW7Buhh64o0ZjqRQksl/s8uI0tT37/4Ozv6WJf6DxY4ZzsTNpb3AMTwVGojgUl 8NCEsgL4qQq8ft7kVnmgMn6A8oIZBciOQDio3AEh7PfnyJB8RfX3rXlYVzuoNuRQRoX2tsG8rS3 Lt+jJtdKnOf6RGEIfvF3eDYEQ== X-Received: by 2002:a05:600c:8b65:b0:48a:53ea:140b with SMTP id 5b1f17b1804b1-48e51f4e5fdmr616425e9.28.1778000329491; Tue, 05 May 2026 09:58:49 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:48 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/23] expat: patch CVE-2026-32778 Date: Tue, 5 May 2026 18:57:24 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:58:52 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236498 From: Hugo SIMELIERE Pick patches from [1] also mentioned in [2]. [1] https://github.com/libexpat/libexpat/pull/1163 [2] https://security-tracker.debian.org/tracker/CVE-2026-32778 Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE Signed-off-by: Fabien Thomas --- .../expat/expat/CVE-2026-32778-01.patch | 91 +++++++++++++++++++ .../expat/expat/CVE-2026-32778-02.patch | 61 +++++++++++++ meta/recipes-core/expat/expat_2.6.4.bb | 2 + 3 files changed, 154 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778-01.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778-02.patch diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch b/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch new file mode 100644 index 0000000000..0105fe7417 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch @@ -0,0 +1,91 @@ +From b878628b560a2ba1e11b3a12ff8df0dab7d6b8bb Mon Sep 17 00:00:00 2001 +From: laserbear <10689391+Laserbear@users.noreply.github.com> +Date: Sun, 8 Mar 2026 17:28:06 -0700 +Subject: [PATCH 1/2] copy prefix name to pool before lookup + +.. so that we cannot end up with a zombie PREFIX in the pool +that has NULL for a name. + +CVE: CVE-2026-32778 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387] + +Co-authored-by: Sebastian Pipping +(cherry picked from commit 576b61e42feeea704253cb7c7bedb2eeb3754387) +Signed-off-by: Hugo SIMELIERE +--- + lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 35 insertions(+), 8 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index bfb8ac58..9bc67f38 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -590,6 +590,8 @@ static XML_Char *poolStoreString(STRING_POOL *pool, const ENCODING *enc, + static XML_Bool FASTCALL poolGrow(STRING_POOL *pool); + static const XML_Char *FASTCALL poolCopyString(STRING_POOL *pool, + const XML_Char *s); ++static const XML_Char *FASTCALL poolCopyStringNoFinish(STRING_POOL *pool, ++ const XML_Char *s); + static const XML_Char *poolCopyStringN(STRING_POOL *pool, const XML_Char *s, + int n); + static const XML_Char *FASTCALL poolAppendString(STRING_POOL *pool, +@@ -7443,16 +7445,24 @@ setContext(XML_Parser parser, const XML_Char *context) { + else { + if (! poolAppendChar(&parser->m_tempPool, XML_T('\0'))) + return XML_FALSE; +- prefix +- = (PREFIX *)lookup(parser, &dtd->prefixes, +- poolStart(&parser->m_tempPool), sizeof(PREFIX)); +- if (! prefix) ++ const XML_Char *const prefixName = poolCopyStringNoFinish( ++ &dtd->pool, poolStart(&parser->m_tempPool)); ++ if (! prefixName) { + return XML_FALSE; +- if (prefix->name == poolStart(&parser->m_tempPool)) { +- prefix->name = poolCopyString(&dtd->pool, prefix->name); +- if (! prefix->name) +- return XML_FALSE; + } ++ ++ prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName, ++ sizeof(PREFIX)); ++ ++ const bool prefixNameUsed = prefix && prefix->name == prefixName; ++ if (prefixNameUsed) ++ poolFinish(&dtd->pool); ++ else ++ poolDiscard(&dtd->pool); ++ ++ if (! prefix) ++ return XML_FALSE; ++ + poolDiscard(&parser->m_tempPool); + } + for (context = s + 1; *context != CONTEXT_SEP && *context != XML_T('\0'); +@@ -8041,6 +8051,23 @@ poolCopyString(STRING_POOL *pool, const XML_Char *s) { + return s; + } + ++// A version of `poolCopyString` that does not call `poolFinish` ++// and reverts any partial advancement upon failure. ++static const XML_Char *FASTCALL ++poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) { ++ const XML_Char *const original = s; ++ do { ++ if (! poolAppendChar(pool, *s)) { ++ // Revert any previously successful advancement ++ const ptrdiff_t advancedBy = s - original; ++ if (advancedBy > 0) ++ pool->ptr -= advancedBy; ++ return NULL; ++ } ++ } while (*s++); ++ return pool->start; ++} ++ + static const XML_Char * + poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) { + if (! pool->ptr && ! poolGrow(pool)) { +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch b/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch new file mode 100644 index 0000000000..2cfda33dc8 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch @@ -0,0 +1,61 @@ +From c26728576de3850258c7762c036dd0eb7783ea15 Mon Sep 17 00:00:00 2001 +From: laserbear <10689391+Laserbear@users.noreply.github.com> +Date: Sun, 8 Mar 2026 17:28:06 -0700 +Subject: [PATCH 2/2] test that we do not end up with a zombie PREFIX in the + pool + +CVE: CVE-2026-32778 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030] + +(cherry picked from commit d5fa769b7a7290a7e2c4a0b2287106dec9b3c030) +Signed-off-by: Hugo SIMELIERE +--- + tests/nsalloc_tests.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c +index a8f5718d..d284a58a 100644 +--- a/tests/nsalloc_tests.c ++++ b/tests/nsalloc_tests.c +@@ -1505,6 +1505,32 @@ START_TEST(test_nsalloc_prefixed_element) { + } + END_TEST + ++/* Verify that retry after OOM in setContext() does not crash. ++ */ ++START_TEST(test_nsalloc_setContext_zombie) { ++ const char *text = "Hello"; ++ unsigned int i; ++ const unsigned int max_alloc_count = 30; ++ ++ for (i = 0; i < max_alloc_count; i++) { ++ g_allocation_count = (int)i; ++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) ++ != XML_STATUS_ERROR) ++ break; ++ /* Retry on the same parser — must not crash */ ++ g_allocation_count = ALLOC_ALWAYS_SUCCEED; ++ XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE); ++ ++ nsalloc_teardown(); ++ nsalloc_setup(); ++ } ++ if (i == 0) ++ fail("Parsing worked despite failing allocations"); ++ else if (i == max_alloc_count) ++ fail("Parsing failed even at maximum allocation count"); ++} ++END_TEST ++ + void + make_nsalloc_test_case(Suite *s) { + TCase *tc_nsalloc = tcase_create("namespace allocation tests"); +@@ -1539,4 +1565,5 @@ make_nsalloc_test_case(Suite *s) { + tcase_add_test__if_xml_ge(tc_nsalloc, test_nsalloc_long_default_in_ext); + tcase_add_test(tc_nsalloc, test_nsalloc_long_systemid_in_ext); + tcase_add_test(tc_nsalloc, test_nsalloc_prefixed_element); ++ tcase_add_test(tc_nsalloc, test_nsalloc_setContext_zombie); + } +-- +2.43.0 + diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb index f78d9a8a60..151720a9e3 100644 --- a/meta/recipes-core/expat/expat_2.6.4.bb +++ b/meta/recipes-core/expat/expat_2.6.4.bb @@ -49,6 +49,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://CVE-2026-32776.patch \ file://CVE-2026-32777-01.patch \ file://CVE-2026-32777-02.patch \ + file://CVE-2026-32778-01.patch \ + file://CVE-2026-32778-02.patch \ " GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Tue May 5 16:57:25 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87526 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31B4ECD3427 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1050.1778000333091967697 for ; Tue, 05 May 2026 09:58:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=EZWC4PhF; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so53161975e9.0 for ; Tue, 05 May 2026 09:58:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000331; x=1778605131; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=qpAQKJUDxdti3+KvstGiNchibBVkVCqrIKsId8lOtKI=; b=EZWC4PhFUqc9Yxtg7b++7i4dwI+xLPJY46S7KqVkEQlXv/aD+Q+4S6W8LZl8dUm07Q I9N4DpiwdFTAr6tOnJ53EVoTWv8u1WgHVgArlZSYs5O9fvajUO0/qGvf5Rys469iV0HV ew1AGMqYjRbLscPSNRjjgl4qPNUOnkRJkmatM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000331; x=1778605131; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qpAQKJUDxdti3+KvstGiNchibBVkVCqrIKsId8lOtKI=; b=p5fR+xqXLdHqwNRupT8secXlZvGghpgXv90rqMbfHoLzNY2v/ZUJxvjkubFmQQ7LhX ddZ0230kCy+bAtmn0urver9TaBiQJMttt5IE6gPvxB/tkYnD5pF0OjnWO8DDntgsGmlj z8hPqSDeLh/vhTfkwPEs0qjZdMq86gmGFDuHZXyukry86sS7TOvNjweRr9Hj8HstbZ3Q Ukpxhu9hwkwqppMA+W4OtKs23ZJSdo9iAD3RhCzyc/bL6KMnEcqqjnw9vji3JNBJ2fNC NSf4zBnPd4wzyoLOUVB4EY41SWbnae9ZBG7NV4YkVP3Q5L1HOxrYkSDriUDiq19B3yeF Bo/g== X-Gm-Message-State: AOJu0YzHSgPgwWE35TzIl8L0l/wbr7GoE0L6vVXjZMvYGIWsCp93Gt7r oIHnqDBYLFukNHQEGkfUD8RlM+6L13WU8drcI42zGUT9xsUKC6ilEIyVkh0BVlDrjX+Tyq++epu veiz7+m4= X-Gm-Gg: AeBDievDy/d4fJc3FJ4LrF7ug5kDqkwn2WZSZ304Zwi119hny+wTbnGCnY1f/BHC5SY KxfkEGAIEqAcYsApJOLs7N4jZWvflAFfiG4QR+MfKJhuFR4bFmDkTlRdxNxOkz4I0F2IRsG7jA1 Z0A3jMb2F9Ovv68op/aXg+x7zFxE8cT1qOPDt/FVriBz2b/+tYVu1or6Ql1l3kIL+iYUHwygXRn r2dVCzKK2jQ47qt0+yHeVFS+gxabVqhb4utcjbERvu1EeFCP19/YXegE5Q2ma23LOCU9K3QRil2 yQvpBte8Vhznes4tzx3WFttIX63V2J1H8AAiLhYqHL1oW7OjLX8QrxwtI6bilYBkCie3ULHVhSp 5ttJBk1AlGghQ0sdFxXMhSiuoFvzfSRgi0xh0+QA+7eTR6mUQ6Cr8BI1ykE2wnnScYXHdi3/eEh dsiPT8bbXIV6V3KA1arWhvQ7y6EyjgDFDhjwBsFMj3Usppug+JngIO0bNYYprsVT6bZsOALOFoe cjmsLJUyLB3S8huucKoE+V2KQ== X-Received: by 2002:a05:600c:c11c:b0:486:fbd1:9dc0 with SMTP id 5b1f17b1804b1-48e51f3b57emr728035e9.22.1778000330852; Tue, 05 May 2026 09:58:50 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:49 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/23] linux-yocto/6.6: update to v6.6.124 Date: Tue, 5 May 2026 18:57:25 +0200 Message-ID: <0844b7e2205b530febbc7a9b6640e3e30d3c8dd1.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236499 From: Bruce Ashfield Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 1b4ef5214f17e Linux 6.6.124 23897ece6167c ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU. d0a6e43d7cccc spi: tegra114: Preserve SPI mode bits in def_command1_reg 126a09f4fcd2b spi: tegra: Fix a memory leak in tegra_slink_probe() dfc6367898077 spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer 712cde8d91688 spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer 53eba2a4a4666 spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one f9cafa63039b8 spi: tegra210-quad: Move curr_xfer read inside spinlock 552e3d8a8bef2 spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer a168f2002b2b4 gve: Correct ethtool rx_dropped calculation d4a81b8ec6398 btrfs: fix racy bitfield write in btrfs_clear_space_info_full() 0e0120214b5dc ASoC: amd: fix memory leak in acp3x pdm dma ops 50b7c7a255858 ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF 42c574c1504aa netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() 8c934bafd10b9 hwmon: (occ) Mark occ_init_attribute() as __printf 3f89a4ef6505a drm/mgag200: fix mgag200_bmc_stop_scanout() 9d40a85138568 net: gro: fix outer network offset 00a7512ff7195 net: ethernet: adi: adin1110: Check return value of devm_gpiod_get_optional() in adin1110_check_spi() 17d340e81c4b5 tipc: use kfree_sensitive() for session key material b2c9edad3620f net: don't touch dev->stats in BPF redirect paths 11ba9f0dc8651 macvlan: fix error recovery in macvlan_common_newlink() f89e33c9c37f0 dpaa2-switch: add bounds check for if_id in IRQ handler 3bf519e39b51c net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup a0d2389c8cdc1 net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup c0ed6c77ec340 net: liquidio: Initialize netdev pointer before queue setup b97415c4362f7 dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero 13336a6239b9d net/sched: cls_u32: use skb_header_pointer_careful() fcbda653b5a88 net: add skb_header_pointer_careful() helper 3a6d6b332f929 smb/client: fix memory leak in smb2_open_file() f54886e18b856 platform/x86: hp-bioscfg: Skip empty attribute names 9423990550a2a platform/x86: intel_telemetry: Fix PSS event register mask ca9ff71c15bc8 platform/x86: toshiba_haps: Fix memory leaks in add/remove routines bae0565fa975d wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice ccd1843b63f64 wifi: mac80211: correctly check if CSA is active 73b487d44bf4f scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count() 29fe5ff92433a ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU 11ebafffce31e scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() 2f4f008f622d4 wifi: cfg80211: Fix bitrate calculation overflow for HE rates d61171cf09715 regmap: maple: free entry on mas_store_gfp() failure f9b06d28a60b3 spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi debugfs initialization 254f303cd6663 ASoC: tlv320adcx140: Propagate error codes during probe e2c03961b01a8 ASoC: amd: yc: Fix microphone on ASUS M6500RE f532b29b0e313 nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() 7c54d3f5ebbc5 nvme-fc: release admin tagset if init fails 1d395dae332ba ASoC: davinci-evm: Fix reference leak in davinci_evm_probe db1bef623ae32 wifi: mac80211: collect station statistics earlier when disconnect 1fbb409652e3d ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free f63f30607dd8e HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101) cff3f619fd1cb HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() 68ab5057e690e HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list 383bc94e90661 netfilter: replace -EEXIST with -EBUSY a58fbeda600fe ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk bfcfb9e548bc1 HID: playstation: Center initial joystick axes to prevent spurious events 9edee94001b63 HID: intel-ish-hid: Reset enum_devices_done before enumeration 28b97fcbbf523 btrfs: fix reservation leak in some error paths when inserting inline extent 9ab846d8dd027 HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL 5b25505b52dff HID: intel-ish-hid: Update ishtp bus match to support device ID table 07df5ff4f6490 smb/server: fix refcount leak in parse_durable_handle_context() 73ede654d9daa LoongArch: Enable exception fixup for specific ADE subcode 2456fde2b1377 smb/server: fix refcount leak in smb2_open() 5fbdf95d2575e LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED 04dd114b682a4 smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() b03415955ed31 block,bfq: fix aux stat accumulation destination 8365785e59ea4 net: usb: sr9700: support devices with virtual driver CD b167312390fdd wifi: wlcore: ensure skb headroom before skb_push ffe1e19c3b0e5 wifi: mac80211: ocb: skip rx_no_sta when interface is not joined d75245dad5cc6 tracing: Fix ftrace event field alignments df54838ab6182 gve: Fix stats report corruption on queue count change a8adf1ceee4e1 KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test failures 46c93903e4c19 binderfs: fix ida_alloc_max() upper bound ebb6aa6928d5c binder: fix BR_FROZEN_REPLY error log 9f6022b2573ae sched/rt: Fix race in push_rt_task 64c0b7e229375 ublk: fix deadlock when reading partition table c3db89ea1ed3d hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() df524a68d9021 netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX b61f9b2fcf181 KVM: Don't clobber irqfd routing type when deassigning irqfd d2bddc2da2b3b Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" 7f7467be748eb ARM: 9468/1: fix memset64() on big-endian 4f9f1fdc0ebdf rbd: check for EOD after exclusive lock is ensured to be held 071159ff5c0bf pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains 7aa0c2bb0771a pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system wakeup e2e1c77319d52 pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset 1267af5b2033d pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup c28dcc1cb4fda pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest state 302651ccef698 platform/x86: intel_telemetry: Fix swapped arrays in PSS output c56b4c84b3b21 x86/kfence: fix booting on 32bit non-PAE systems dca1a6ba0da9f nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec Signed-off-by: Bruce Ashfield Signed-off-by: Fabien Thomas --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 3ad8bd54fa..3c28f96906 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "5a49ab75e554557c1d3665b22233c4de9a2c2a75" -SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357" +SRCREV_machine ?= "a32dc01f5dbce65781e06a973624a2c3572fa7cd" +SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.123" +LINUX_VERSION ?= "6.6.124" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 50c8e69d5c..08c176a698 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.123" +LINUX_VERSION ?= "6.6.124" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "18a3ba79eed015d2cbd1f5af2c1417d12b369698" -SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357" +SRCREV_machine ?= "a00c570459f5486c036aefc93ab323efa8c7e645" +SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 3f8b40e305..565022a615 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "b562777a433f835ae245e08c27df6b47e3ae2505" -SRCREV_machine:qemuarm64 ?= "2df2455c7199cb8db4ea0118f908f952ff73eb97" -SRCREV_machine:qemuloongarch64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_machine:qemumips ?= "6b9c16676cd4c8494ca7cdff355cb1cfe4d8fb3a" -SRCREV_machine:qemuppc ?= "bf3f6c731ea41e519389b24104458870475dce20" -SRCREV_machine:qemuriscv64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_machine:qemuriscv32 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_machine:qemux86 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_machine:qemux86-64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_machine:qemumips64 ?= "9fb8ff244fe5c5d6aa08457cfb9bbe4a3ef47366" -SRCREV_machine ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1" -SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357" +SRCREV_machine:qemuarm ?= "225cb65775de5e687da708da8f126bf94a426c54" +SRCREV_machine:qemuarm64 ?= "632fdc720fa54154453715becbbf57793363b62d" +SRCREV_machine:qemuloongarch64 ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_machine:qemumips ?= "083f8e7fb7cacf7167aaf41b6366dc63b0b42b9a" +SRCREV_machine:qemuppc ?= "0149565b9e2219e923ba0eebc4f7c60661778453" +SRCREV_machine:qemuriscv64 ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_machine:qemuriscv32 ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_machine:qemux86 ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_machine:qemux86-64 ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_machine:qemumips64 ?= "3f1d938eafffaadd2fa9d9bc83446c90d8f36093" +SRCREV_machine ?= "6e00181d086766512ef48806d649d032c479566d" +SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the /base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "c56aaf1a85ae918dd521fb2869028cf533d2755a" +SRCREV_machine:class-devupstream ?= "1b4ef5214f17e671cc13f2da4a678574ce91d151" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.123" +LINUX_VERSION ?= "6.6.124" PV = "${LINUX_VERSION}+git" From patchwork Tue May 5 16:57:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D43A6CD3443 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1051.1778000334339702328 for ; Tue, 05 May 2026 09:58:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=a060TFMK; spf=pass (domain: smile.fr, ip: 209.85.128.43, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-488ff90d6c7so52770795e9.2 for ; Tue, 05 May 2026 09:58:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000332; x=1778605132; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=q7amqsf0Z4rOSbEBde/zrvE9kWygpRB8rhh9ZsJacaE=; b=a060TFMKqkzMDUnfJxoKPhNH4pHrTH5Kpc0fMX+ulC1QfIjTaUS21F7kzidkbbDC/L u9lHXLoW3ljKYQqDngejb/YJnzoOEQFM4lFvBBQgtJkpikAOIkx+QDfhKDuSsgonMA5V VGxeQVAztJNQFtiO/38JS7F2BaAIuiZZhGj1A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000332; x=1778605132; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=q7amqsf0Z4rOSbEBde/zrvE9kWygpRB8rhh9ZsJacaE=; b=tHXv0Cv1twG/XmHWBivm4r08on6WaJvttxzlfxH7qD9LXbDne4n7+gdKTRvDcbn5iO aVDtYlHKNMN4EawrhUd2e6UqM5TO8hupQMV3rjCv3xNubgwNs1Od9euS4EsuKnjHeZcj 8oSbUDVV4Kgr0s8DtmzJUGwPcBXNwxLwnuRfhEVv1RqTmIYo3UKYshbb3r880ef5rYvo 0nOoSNuSNduHTGALNagkynAt5t6fYh25ien22ox+4W4sYIsERq0RgL1QhHI02cO6Rf7i sT62Cxj7C386wZE3DIzbtAzID+39Tnah81CCy7DVbOeD+8Cegj99gIlbrDdCYN2Pos3m Pitg== X-Gm-Message-State: AOJu0Yw18spWMspzUTmFQdpz/3ENVJTEp7N755LyO8v7IpOHaU2Z9RYM cGVeTeM7VWIv5e2FV3xC0DkKublhb8A8hqJRbRBjcPsGWi/4zXiFbkWFyr2wKp/MWOB7khjuQTA yFgkiz1o= X-Gm-Gg: AeBDiesJXyvgP/XkLMUx9EtAH2QmoXdWtcAMx0ni4xi/dyUnz+V/cxmjYJAWljKG4S/ 5qSWg9y0r9yA6X56uiuXAVRP32DOJ8/5vnbu9KxoTf/RXIGO+jVZFYRQ0MCfur7Ltkg+FTvMOOQ 2x3iwcH28RJGP7SB5gywEtdhiOuhjaBQDdp3gF748c23u8JedFe8e6jfq8UTKpe3K5vZ1cySWWO uEmiDqzTLPB58Q6+X8ldSJMJFl94XbWO9jcWlFzdvIxYTcvBZdCjb0dTDYqBr+0YTG+RogqGsoO Vka3zO7kMCFaYBOr3zg9mUyAuXyAq2o2Z93CMXRRbSxi2cNWjHAfx4ALLE8gCu1UeXBtgBFGtNd dPfEdy7/VCv6ChOp63bUTYRwe7MF+QjClK7Oyp5KkJw/TynmxI/wvpN0q6QC48VTiAO1ZTIDVRZ ZpUdWNbaLbYkuERhzc9tA1as7Hgtbvkn0XJaDKwDeO5HQ+cwqXzFxIoJNuXIsDqF1e31D4QVFDo CpyprmhR8zlJGa9G+zcoXauog== X-Received: by 2002:a05:600c:b8a:b0:48a:56de:d620 with SMTP id 5b1f17b1804b1-48e51f32ac3mr691495e9.14.1778000332358; Tue, 05 May 2026 09:58:52 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:51 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/23] linux-yocto/6.6: update to v6.6.126 Date: Tue, 5 May 2026 18:57:26 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236500 From: Bruce Ashfield Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 56865d9b7074c Linux 6.6.126 673dafb9a8634 Revert "driver core: enforce device_lock for driver_match_device()" ae462074fde3b Linux 6.6.125 1c04c3a4de8d4 gpio: omap: do not register driver in probe() 455e882192c98 mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() 2b890bc3a5774 selftests: mptcp: pm: ensure unknown flags are ignored 8df235f768cea spi: cadence-quadspi: Implement refcount to handle unbind during busy 665e570600733 vsock/test: verify socket options after setting them a9e757473561d netfilter: nft_set_pipapo: prevent overflow in lookup table allocation 1c4f72fa96993 netfilter: nf_tables: missing objects with no memcg accounting 30405b23b4d5e nfsd: don't ignore the return code of svc_proc_register() 57770faaff8ee net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module dccf7bc011d0e scsi: qla2xxx: Query FW again before proceeding with login aed16d37696f4 scsi: qla2xxx: Free sp in error path to fix system crash 528b2f1027edf scsi: qla2xxx: Delay module unload while fabric scan in progress ccbfcaa4b88e5 scsi: qla2xxx: Allow recovery for tape devices 949010291bb94 scsi: qla2xxx: Validate sp before freeing associated memory 71dee092903ad wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() df1e20796c9f3 nilfs2: Fix potential block overflow that cause system hang dd1f6c9206385 crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req d6f0d58680868 crypto: virtio - Add spinlock protection with virtqueue notification 6edf8df4bd29f crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly 7dbeeafcb6e50 crypto: octeontx - Fix length check to avoid truncation in ucode_load_store 6dda9f0699054 Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB adc1796eced46 driver core: enforce device_lock for driver_match_device() 787769c8cc504 smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() 5accdc5b7f28a ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths 4386f6af8aaed smb: client: split cached_fid bitfields to avoid shared-byte RMW races Signed-off-by: Bruce Ashfield Signed-off-by: Fabien Thomas --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index 3c28f96906..e5f3c9b6cb 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "a32dc01f5dbce65781e06a973624a2c3572fa7cd" -SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" +SRCREV_machine ?= "aaa3191196fccd0d26d55a88dcc2396ce79cfc21" +SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.124" +LINUX_VERSION ?= "6.6.126" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 08c176a698..56b3e52003 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.124" +LINUX_VERSION ?= "6.6.126" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "a00c570459f5486c036aefc93ab323efa8c7e645" -SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" +SRCREV_machine ?= "3a9d8ba770fff7d27a4d2607644d9d6925329e73" +SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index 565022a615..b4d9452b80 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "225cb65775de5e687da708da8f126bf94a426c54" -SRCREV_machine:qemuarm64 ?= "632fdc720fa54154453715becbbf57793363b62d" -SRCREV_machine:qemuloongarch64 ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_machine:qemumips ?= "083f8e7fb7cacf7167aaf41b6366dc63b0b42b9a" -SRCREV_machine:qemuppc ?= "0149565b9e2219e923ba0eebc4f7c60661778453" -SRCREV_machine:qemuriscv64 ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_machine:qemuriscv32 ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_machine:qemux86 ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_machine:qemux86-64 ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_machine:qemumips64 ?= "3f1d938eafffaadd2fa9d9bc83446c90d8f36093" -SRCREV_machine ?= "6e00181d086766512ef48806d649d032c479566d" -SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970" +SRCREV_machine:qemuarm ?= "746f0ca46b4fdd56ba711cf7b49b9a71d4f64acf" +SRCREV_machine:qemuarm64 ?= "9da440425610b9335df95d76dfa2a56ea4e492eb" +SRCREV_machine:qemuloongarch64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_machine:qemumips ?= "208bd32390022fec5948b1808e6d9ea83d88d9bd" +SRCREV_machine:qemuppc ?= "9645b14ebe59396b0d1035c5f96ac74ae483f4c7" +SRCREV_machine:qemuriscv64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_machine:qemuriscv32 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_machine:qemux86 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_machine:qemux86-64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_machine:qemumips64 ?= "b7972053efd2ad49abf9a0637dfa2b4b1bdff8a4" +SRCREV_machine ?= "c6bff8c03457825a34929284be97de7fd99f0c83" +SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the /base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "1b4ef5214f17e671cc13f2da4a678574ce91d151" +SRCREV_machine:class-devupstream ?= "56865d9b7074c08d8191bc721b1e46baa650d9cd" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.124" +LINUX_VERSION ?= "6.6.126" PV = "${LINUX_VERSION}+git" From patchwork Tue May 5 16:57:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B996ECD3442 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1053.1778000335709301449 for ; Tue, 05 May 2026 09:58:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=ZHSTYip0; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-488ba840146so48304855e9.1 for ; Tue, 05 May 2026 09:58:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000334; x=1778605134; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kf+C89NUO+DZGvHcxPQu9LGxbHQS2/4E+Qov+1jsKzA=; b=ZHSTYip0OrXugiU8roSCLrDpnaJOJjpDTqxet77b+9xhyUnk6QbbGIy3/K46Jv9tdJ z6tnOCRcCBnbdgXfgkS4kwRTiKPgNqLyUpY+HJKgRD2ep5eCkIgUYsEUQt76BCFtx4N9 /KqAfaGXT5y/hyBg3n8BjKJK1wAzOakAPdLZQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000334; x=1778605134; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=kf+C89NUO+DZGvHcxPQu9LGxbHQS2/4E+Qov+1jsKzA=; b=hRkINXzqBOO1/rJgPZfPkCOdk3tMgTgdxaqJZprtPd2aJkKzzczVCggtMXP4yfIeC7 NuUMDh3RsHnAjhIV8oGNvZHnybCE3bjXKDeca+g1eFfQnEJa2wWWusSe/lJbffkdcXov 8VlTjhvqlFNCO8VlJmfWW3A/y8UMseoockjLtMs7/yRk+TKINc6QG3SXHhGy3o+fRfte ZIbQB8Indq6EKSdJ5Qwyo2cdDFYTM+tDPDSmVon8bLUCuJnFmL07kuZNFSXBvQbzXpVp JCFPZz3mP1eFsVtuSO+j8kB4Y6muDeuQD63QUyz2uq4vGIR7RJKcIl5hgCK6zMbh5XSR hv3A== X-Gm-Message-State: AOJu0Yz6vTLnXlfbp1U13WigIwyC7GZCdMT67xjraBKgpfPB72JYLd+s MPPap439ZpdD6puc57GaC4MW078I1tBlOTIEf3gU77MBA+8pDHZFsJaSYbCBkFOmmvQ66m7/FaZ 034FOKTY= X-Gm-Gg: AeBDies6v6flNjGdVkzBAcLQKcOXldQ1nElk9M7mKOHwRme0ub/xh5VO84ldTYtRlk6 adM06Z5+tABj1SL/oTqG4cnntDbcuITzfjyyiWc+g2iIJFfCKzJYlOvJPhBl+jzN5E79v6//BTL EbTUP08+9kK57+w319+pl8dFPJfHN4A1Yw4KkKfkHzhMfOHLAFx88YsN4JbstHBLQCecVsGhfRf 5HkaU3kI/Y0r81M4z4CilDHoipAFAt0GovuXZyY0UwRnthzNIKa4TDX46jJdDfuHWqKl1cE9IVa VMVMj5wxXB73xPwWPL4HeGAoHxEAUKChYDyFasDqxf/AQIhQfypJP3YIeihmmzOK7S3f4OC2a5S Zi7rwUIZi/Z1gwxrKtoAaYuMEenGOyp1vOzOfVyPVPfcdVbelaNUzBNfdTS0RqqE/cZj3cAKeip IkvQIDw29levau55YyvmtmOCs3oFNBXF/kV/hdqthN8BG7+RkvcT95GqnV+pOiv8VaQySNTNeH7 6kmZ4DqPoXdcSqiROlUyEoEOkHx3SI8WFTW X-Received: by 2002:a05:600c:3e0c:b0:489:1f08:91b with SMTP id 5b1f17b1804b1-48e51f2f82emr1118495e9.16.1778000333743; Tue, 05 May 2026 09:58:53 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:52 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/23] linux-yocto/6.6: update to v6.6.127 Date: Tue, 5 May 2026 18:57:27 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236501 From: Bruce Ashfield Updating linux-yocto/6.6 to the latest korg -stable release that comprises the following commits: 7a137e9bfa0e Linux 6.6.127 f478b8239d65 net: tunnel: make skb_vlan_inet_prepare() return drop reasons 35ac888bf8ac USB: serial: option: add Telit FN920C04 RNDIS compositions d4534a7f6c92 f2fs: fix to avoid mapping wrong physical block for swapfile 20a8bad29d18 f2fs: fix zoned block device information initialization acc2c97fc000 f2fs: fix to avoid UAF in f2fs_write_end_io() 75e19da068ad f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes eebd72cff518 f2fs: fix out-of-bounds access in sysfs attribute read/write 81193503af1f f2fs: fix to add gc count stat in f2fs_gc_range 0634e8d65099 fbdev: smscufx: properly copy ioctl memory to kernelspace 78daf5984d96 fbdev: rivafb: fix divide error in nv3_arb() f42a2d49c465 LoongArch: Add writecombine support for DMW-based ioremap() 6e5eccdef67e cpuset: Fix missing adaptation for cpuset_is_populated ff37dd18ce77 mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather 2eeca9383efe mm/hugetlb: fix two comments related to huge_pmd_unshare() 51dcf459845f mm/hugetlb: fix hugetlb_pmd_shared() 8c9a1b071051 mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count 168ee1549fa2 Revert "wireguard: device: enable threaded NAPI" 78e706f9b197 LoongArch: Rework KASAN initialization for PTW-enabled systems f507fc06c7cd LoongArch: Add WriteCombine shadow mapping in KASAN 16f137fb74c1 gpiolib: acpi: Fix gpio count with string references 61e007657bf7 ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() f49d2497da14 ASoC: cs42l43: Correct handling of 3-pole jack load detection 329bb274a3a9 platform/x86: panasonic-laptop: Fix sysfs group leak in error path e8f5d1306a3a platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro c3876edb0184 ASoC: amd: yc: Add quirk for HP 200 G2a 16 d7d7b93aca64 ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 9cf4b9b8ad09 platform/x86: classmate-laptop: Add missing NULL pointer checks e120bae4c56d drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used cbd9931e6456 romfs: check sb_set_blocksize() return value 79100c3bc0c4 ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel 6834804ad484 ALSA: hda/realtek: Add quirk for Inspur S14-G1 b204c5ec24a2 gpio: sprd: Change sprd_gpio lock to raw_spin_lock 4cfb1aed4753 ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list 2accd79be906 ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU b19838402873 bus: fsl-mc: fix use-after-free in driver_override_show() 3118a9c6875b bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions 8cb905eca739 PCI: endpoint: Avoid creating sub-groups asynchronously 68c9fdb01af8 PCI: endpoint: Remove unused field in struct pci_epf_group 74e7458537cd scsi: qla2xxx: Fix bsg_done() causing double free Signed-off-by: Bruce Ashfield Signed-off-by: Fabien Thomas --- .../linux/linux-yocto-rt_6.6.bb | 6 ++-- .../linux/linux-yocto-tiny_6.6.bb | 6 ++-- meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++---------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb index e5f3c9b6cb..8685e5cbf6 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb @@ -14,13 +14,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "aaa3191196fccd0d26d55a88dcc2396ce79cfc21" -SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" +SRCREV_machine ?= "c45743dc8dc2ddfbe7bd165997e1f7cf887fa6b7" +SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" -LINUX_VERSION ?= "6.6.126" +LINUX_VERSION ?= "6.6.127" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb index 56b3e52003..d6a9afdf17 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb @@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc # CVE exclusions include recipes-kernel/linux/cve-exclusion_6.6.inc -LINUX_VERSION ?= "6.6.126" +LINUX_VERSION ?= "6.6.127" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "3a9d8ba770fff7d27a4d2607644d9d6925329e73" -SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" +SRCREV_machine ?= "8247922ff493e4fef938ce36562cac9c0cce86aa" +SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" PV = "${LINUX_VERSION}+git" diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb index b4d9452b80..92ad6afa3a 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb @@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base" KBRANCH:qemuloongarch64 ?= "v6.6/standard/base" KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "746f0ca46b4fdd56ba711cf7b49b9a71d4f64acf" -SRCREV_machine:qemuarm64 ?= "9da440425610b9335df95d76dfa2a56ea4e492eb" -SRCREV_machine:qemuloongarch64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_machine:qemumips ?= "208bd32390022fec5948b1808e6d9ea83d88d9bd" -SRCREV_machine:qemuppc ?= "9645b14ebe59396b0d1035c5f96ac74ae483f4c7" -SRCREV_machine:qemuriscv64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_machine:qemuriscv32 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_machine:qemux86 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_machine:qemux86-64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_machine:qemumips64 ?= "b7972053efd2ad49abf9a0637dfa2b4b1bdff8a4" -SRCREV_machine ?= "c6bff8c03457825a34929284be97de7fd99f0c83" -SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81" +SRCREV_machine:qemuarm ?= "aa66687c1abe2afe2ee6c00c36bfaaf3d5d9636c" +SRCREV_machine:qemuarm64 ?= "cf88783fdb92901d9d228afb7d700c6575742f1b" +SRCREV_machine:qemuloongarch64 ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_machine:qemumips ?= "cbd6f9a670486dcd83ef0f8b90a75b2b7b44b447" +SRCREV_machine:qemuppc ?= "bce75aa765505d7db3bb1bfefb5d3f524a1a5b64" +SRCREV_machine:qemuriscv64 ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_machine:qemuriscv32 ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_machine:qemux86 ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_machine:qemux86-64 ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_machine:qemumips64 ?= "4cc6d51a6f63436a37c3ba4ea2da93c7fd3240b4" +SRCREV_machine ?= "70af2998be31b72a111de67966b7816b3d54d472" +SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the /base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "56865d9b7074c08d8191bc721b1e46baa650d9cd" +SRCREV_machine:class-devupstream ?= "7a137e9bfa0e1919555d60f9dc0c05a7a5ba75d0" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v6.6/base" @@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "6.6.126" +LINUX_VERSION ?= "6.6.127" PV = "${LINUX_VERSION}+git" From patchwork Tue May 5 16:57:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D941CD3441 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1081.1778000336787878819 for ; Tue, 05 May 2026 09:58:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=uzj0pe5c; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-488ad135063so52339775e9.0 for ; Tue, 05 May 2026 09:58:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000335; x=1778605135; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UUtqmHoiNc5u3AuXMJU1kcXhmiVlLqdib8W/868V6qw=; b=uzj0pe5cDEMOP51nKVB+Q1MwuKK98LVJFfnBFIEp6g4jO5h9pPP7syv3ExlF7EajBN h15aYSKqRfFMkaTcH/9RXNwZqtxBEH5GSNeb3wvnGZFsaID7uV+vFAmueZquqLbwMkry z39OXZRiQUZ0/eXwsiUC0/7ulSkdTDN/f8kto= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000335; x=1778605135; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UUtqmHoiNc5u3AuXMJU1kcXhmiVlLqdib8W/868V6qw=; b=pgBF1toXUhmmDHp+DOSNn36vwLmYMSLSzA26Z0WfaRmc6rcgN79/qnVhsW1EDYTaca 5pJ8QU+0Y3+aXRne/U3HaMYnNYx1h9sNJi9usCFlAFzYgmWe5jcBDsQ53UcDsbI9Jm/e J1p9Sw0c24Vo9zVuQncmyD1BHFMwWtPqYt7wh8bWuozRiCKDqj8bGsjGGH+KuTG1BOJG zxWDQy52M8YoGpub302aZWbWJYfrLoWKNStypWVOYvlRoU+f+KaCH2XKXCgatQDrUEE0 oNc/VbhFIFT7Cei158Vf6g0KkEqM57/8FlY5/WP343qY3nHGpvehKj8h1nVnlm/u5w+o emhA== X-Gm-Message-State: AOJu0YzbfO1cqQL+ydyMfQWiv2DbKvhckCm7w6xNdcquStLPyH9F8nG1 GeLhJJnAcNpIapA2pG0/fPW8Gp6TTcm+owQSM6xfyApQTe4BxuXuZFJ03fgTYQ/utynR6PrPC0f gyTyBhTU= X-Gm-Gg: AeBDievaKWPKwMLenRUVE/ZU3bWeyAKnFibMz9gF4G5NzgVTAqn+i3HnG77cyNDZtQO 8I1rdBDh3Z4haBbG63jff+yvW9i0rvMrRbpsWS9a8pirDsgwdBFdPnWV4ut/bAe+FV5T4eIajUM q/EKgqtAwHxzc9Aswjh9nBziCW95Xwd+be31WslYT1YNl4G5zqjAde+bQBCd0kTyeZS9pYrUqog W7PmRXiFsT392mRqkATVIjFsQUSJxe0UNqlYWGsfuayhOzg4jLxaks3QbjYPEKe85xc94eL1YUV TrIrzlhag1tE2Jx1deaAfYAUHPa9PpNzafhBye33X2i6I0TOxwDeF4YF2N3qh8uA+gwILbCr5qJ Ct9d0es0vqUFX2PsVc7ZdpyVDb3DLsX9OZv7sIgencs58jEQiz3muIOpiJsh3yo2t9Dtzrs2FGw vqhW8o/y6AQcpHRR3OgxJyLXNiy9hODPbbabAU3o8+qAHtnSJtrzP4lhLc1iU9QaZBGtur5uGoy UzA1zPqYvkYIzR7A/t2xb44bw== X-Received: by 2002:a05:600c:1d18:b0:48a:8cb6:88b9 with SMTP id 5b1f17b1804b1-48e51f44621mr454045e9.22.1778000334868; Tue, 05 May 2026 09:58:54 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:54 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/23] rsync: fix for CVE-2026-41035 Date: Tue, 5 May 2026 18:57:28 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236502 From: Hitendra Prajapati Pick patch from [1] also mentioned at Debian report in [2] [1] https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c [2] https://security-tracker.debian.org/tracker/CVE-2026-41035 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035 Signed-off-by: Hitendra Prajapati Signed-off-by: Fabien Thomas --- .../rsync/files/CVE-2026-41035.patch | 39 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-41035.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch new file mode 100644 index 0000000000..66b1b93672 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch @@ -0,0 +1,39 @@ +From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. + +CVE: CVE-2026-41035 +Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c] +Signed-off-by: Hitendra Prajapati +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 26e50a6..65166ee 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.50.1 + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 14beafb681..2a1c3d9d56 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -28,6 +28,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12088.patch \ file://CVE-2024-12747.patch \ file://CVE-2025-10158.patch \ + file://CVE-2026-41035.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Tue May 5 16:57:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DB7CCD343B for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1083.1778000337924390637 for ; Tue, 05 May 2026 09:58:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=YxhjlCGY; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-48984d29fe3so79602955e9.0 for ; Tue, 05 May 2026 09:58:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000336; x=1778605136; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MIJKiOW4RPCZMIvf386K+dMUkuZv5p40nY0kcYwRfVo=; b=YxhjlCGYCkS9QKOEXusjc177Gz/HcgRt6R4pcEHPwjFMJ7+yxulMbWz+XlWh4fuwh/ 2tWKSPGS8a4ZNFJ1jw6XafuhmzrFQ6NCgEMvWyRKA82e5MxJoXqitXf/KUtsyiNeqVWb 3RIYojqEODdKKViHqHevDC8m9q3El400TH0pQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000336; x=1778605136; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MIJKiOW4RPCZMIvf386K+dMUkuZv5p40nY0kcYwRfVo=; b=ECq5/fDE5TNHEr5ulFuVLQmCUETlcoWno9fGcfsDGZ/ba6pTkrZlK1SrUGk1Vqlezj wOfwNnf68GrtQC9+fAog4DSa1BlTzHb5Gol0ezfRI0p3xbmA530qe87ryb1vxTJNoDbW MFnal3OhzjcoIkkrQ6RsgOw3it3j7FiYLyl0yhdGOwXNmqrY4aPFCrRAs6TcVCNH2Vjr OJPkjgest21vjMZBSPXW6ckkUb4/7HJqd3aTBJSkgV3OclZ5s6XUsnuFePGxZ9HDKjP4 MQswIBhvQgoUO6659L1wbisC+ztttZiUZFvV3PHPgLyUjHvryHIlad1KtTKzJ155+u8r ln0g== X-Gm-Message-State: AOJu0YwfQg1BEazMzYw0iEJMnTEY7iKKZIjOCF5DDIR4D2ovXvIn751C L7DbUm0JBY90VTdnYtkv5steZ8KSCYb7qr5hy2kvt2qwpG3ZbQAiY5hWZBiwrYVYq3NmodxNltS PBZ+zbVw= X-Gm-Gg: AeBDieubtd3up/hvAnoSa4HUg+dQ3gdowdOWS4nYqWnJHwqYFWfKD92Kt6jEZJxMv+R F8WxnI34tup8gX44zfel7iZA+++y9lHo1YLr95FKbyXTvl+6QnpE0UW6QUXy4ogJnAmC653nBeN Arr2asqQU9j5hMIswNoPMEQAwloVJJdWSwpHjoEERdMGlnJ/N+7o/3Nh/8vMo5P9fHesTDLtKor W2KR8y9Hz18PjopeDD34UyBLUHCvoZYa/62PW2JHZwliNCjd6ZAFGewfzdXt3ZsgEnTDRUQklvH Aswh8W1FcrR5EU//1+uJuNr4tMTWJwMSlU4CcviCamnBjAiqIXjZtiGOqLvUaaG9oEW/3eT/5dY oHWmcmwuBggo1++6qmLxcArG0/p/3+/Rn81qbdoL129/9NS1r6NRg2xz20ItqiC25mGcMAFLrtS joAvEmeoX+aOC1jsw4pPAPfvOjA83YR1VRm0WA0/iE8jZjug8svE1RnKCV7CGZVK+BpBpom2xQW r321kdf+QZSnnkUFZqzlwvQIzaUZ/xUlikL X-Received: by 2002:a05:600c:3b96:b0:48a:66a8:9981 with SMTP id 5b1f17b1804b1-48e51f55272mr199745e9.27.1778000335967; Tue, 05 May 2026 09:58:55 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:55 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/23] u-boot: fix CVE-2025-24857 Date: Tue, 5 May 2026 18:57:29 +0200 Message-ID: <6f69c878896b536f5f7b16c566d420e188c82c7f.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236503 From: Hongxu Jia According to [1], Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code. Backport a patch [2] from upstream to fix CVE-2025-24857 [1] https://nvd.nist.gov/vuln/detail/CVE-2025-24857 [2] https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2 Signed-off-by: Hongxu Jia Signed-off-by: Fabien Thomas --- .../u-boot/files/CVE-2025-24857.patch | 42 +++++++++++++++++++ meta/recipes-bsp/u-boot/u-boot-common.inc | 4 +- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch diff --git a/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch b/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch new file mode 100644 index 0000000000..99acd5bab1 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch @@ -0,0 +1,42 @@ +From 15a46d72515c04d0eeaca19bf0356a39efc9cf93 Mon Sep 17 00:00:00 2001 +From: Tom Rini +Date: Tue, 9 Dec 2025 15:23:01 -0600 +Subject: [PATCH] fs: fat: Perform sanity checks on getsize in get_fatent() + +We do not perform a check on the value of getsize in get_fatent to +ensure that it will fit within the allocated buffer. For safety sake, +add a check now and if the value exceeds FATBUFBLOCKS use that value +instead. While not currently actively exploitable, it was in the past so +adding this check is worthwhile. + +This addresses CVE-2025-24857 and was originally reported by Harvey +Phillips of Amazon Element55. + +Signed-off-by: Tom Rini + +CVE: CVE-2025-24857 +Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2] +Signed-off-by: Hongxu Jia +--- + fs/fat/fat.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/fat/fat.c b/fs/fat/fat.c +index e2570e81676..f6dc7ed15fe 100644 +--- a/fs/fat/fat.c ++++ b/fs/fat/fat.c +@@ -215,6 +215,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry) + if (flush_dirty_fat_buffer(mydata) < 0) + return -1; + ++ if (getsize > FATBUFBLOCKS) { ++ debug("getsize is too large for bufptr\n"); ++ getsize = FATBUFBLOCKS; ++ } ++ + if (disk_read(startblock, getsize, bufptr) < 0) { + debug("Error reading FAT blocks\n"); + return ret; +-- +2.49.0 + diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 1f17bd7d0a..5f6bd44ab7 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -14,7 +14,9 @@ PE = "1" # repo during parse SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e" -SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master" +SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \ + file://CVE-2025-24857.patch \ +" S = "${WORKDIR}/git" B = "${WORKDIR}/build" From patchwork Tue May 5 16:57:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF983CD3444 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1055.1778000339488356116 for ; Tue, 05 May 2026 09:59:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=dZbYmrEN; spf=pass (domain: smile.fr, ip: 209.85.128.48, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-48d146705b4so14286455e9.3 for ; Tue, 05 May 2026 09:58:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000337; x=1778605137; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=GCZJ9NT9+XkXePuvVNyWHrSnw/95Nqw5QoCR2by8MYc=; b=dZbYmrENbLWa7o/3TakOYdfsoBsQNVrFeruMg68n12dvC1GlcAD6N68cIjLuUpoZiO D1loY957qX1lNNPZkK5d6WtA2dfXsmKomRwdIgBo64D+ifJS3INRfa4sUgEw/p4Po33b GVqT+nTyoVvvNa+3pjwksQhep+6O5JI5a3BmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000337; x=1778605137; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=GCZJ9NT9+XkXePuvVNyWHrSnw/95Nqw5QoCR2by8MYc=; b=EFKDhHuzILKoM744DUdRX4rweqFvmYBaq0eDytL5bPOlcvsxfv7bdsGMdr2WYlXmgJ ppd6rlC9edGy0phhP0vLSPZhUwxdhgHO4gq1942oXuUCG7E5Fxca9zlzTOUunk4xc3YT s7jDEoPg8DpYqpqyaX24dCPPAQA8Pqv/sJm3Kl3LDSiu3PUJHYnDK119wpp5mJ2ajUDX Vyce+zduLyy7ZKXE2bxQkKrfbMjxZgjg/DU8K78gOWIksmzYs8LryG7q8GhrZcDf70i7 3vHjzuwqm0TCRqdjq6WxjFuyqzLqr5Zc6T0tjIRT6b5DteC6DjLrKkiq94ncNJJdvSgJ lK8Q== X-Gm-Message-State: AOJu0Yyk4fdgQ22DulSkeIG2bABi8fp1QARLQwlKSh+iEr+cuqjtmpHO e8G35rs9G//tP/YU0HDLiz1Dt6wn5rzOIL6X2BxRENT0SUfde4AGOh/aU1X52IZoQzmgSUqWJRv WA2tvqJ4= X-Gm-Gg: AeBDieumi1+otW+CRLQfmo284YQXEcwwylVDqxgwrwBJv2P9UUibgbVKyg0LLSWdulR 2G32p24gzTbjttpj0XluAQ28ceQn+JFelnjp1NMUY0SBqdyh31XNf3s3QVV5Mwb2HIC3u7en96f sjnvraR+D/iD3IQUDF0zFTTLwa9XrpWjtXmaFt5zFK6Jf6VxZkjqQ1y6WFI2uULxd4g74f8f5ob LfHqfrVaFli4DJEYmLw52ORLPBTaf1XU2N+k6Dd5CWP11gGPQEUwPGu7dkTNhwrZeXgClGCsSlg kvRy+GxsZbnbiCJeHo8ut+V0x6xhp1QRTiV1LIB627ESpLCVs3+Zp7rk6W3ARCSQSASFKrudREB DBioxr055HKH28D11Dnl7frghhVaNzV9aKr/kpF5a2XlYtUa0y3M4dm+Uz+5ts7xh7aeaHPO+wk ux9KywrrpqFzf4bi8cZVvwkKr8GZeN7/x8X8nx509BPBvg0sPJVd11dD3WBSXlHvx3GMoaE1ltC A/qANCBAxAIKLDZBRTrcjxExw== X-Received: by 2002:a05:600c:a10d:b0:48a:563c:c8e0 with SMTP id 5b1f17b1804b1-48e51f21e7bmr973255e9.1.1778000337086; Tue, 05 May 2026 09:58:57 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:56 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/23] ovmf: fix CVE-2025-2296 Date: Tue, 5 May 2026 18:57:30 +0200 Message-ID: <09be6658833e7ac4143eeb26bdaf67c6c94e260a.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236504 From: Hongxu Jia According to [1], EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability. Backport patches from upstream [2] to fix CVE-2025-2296 Note: backport 0001-AmdSev-Halt-on-failed-blob-allocation.patch to apply the CVE patches without confliction [1] https://nvd.nist.gov/vuln/detail/CVE-2025-2296 [2] https://github.com/tianocore/edk2/pull/10628 Signed-off-by: Hongxu Jia Signed-off-by: Fabien Thomas --- ...mdSev-Halt-on-failed-blob-allocation.patch | 159 ++++ .../ovmf/ovmf/CVE-2025-2296-1.patch | 762 ++++++++++++++++++ .../ovmf/ovmf/CVE-2025-2296-2.patch | 175 ++++ .../ovmf/ovmf/CVE-2025-2296-3.patch | 42 + .../ovmf/ovmf/CVE-2025-2296-4.patch | 34 + .../ovmf/ovmf/CVE-2025-2296-5.patch | 36 + .../ovmf/ovmf/CVE-2025-2296-6.patch | 54 ++ .../ovmf/ovmf/CVE-2025-2296-7.patch | 124 +++ .../ovmf/ovmf/CVE-2025-2296-8.patch | 125 +++ .../ovmf/ovmf/CVE-2025-2296-9.patch | 108 +++ meta/recipes-core/ovmf/ovmf_git.bb | 10 + 11 files changed, 1629 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch diff --git a/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch b/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch new file mode 100644 index 0000000000..181ff3376a --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch @@ -0,0 +1,159 @@ +From dbec8dc5ba6341d816ffd495fcd7eeece1716bb4 Mon Sep 17 00:00:00 2001 +From: Tobin Feldman-Fitzthum +Date: Mon, 29 Apr 2024 20:07:19 +0000 +Subject: [PATCH] AmdSev: Halt on failed blob allocation + +A malicious host may be able to undermine the fw_cfg +interface such that loading a blob fails. + +In this case rather than continuing to the next boot +option, the blob verifier should halt. + +For non-confidential guests, the error should be non-fatal. + +Signed-off-by: Tobin Feldman-Fitzthum + +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/10b4bb8d6d0c515ed9663691aea3684be8f7b0fc] +Signed-off-by: Hongxu Jia +--- + .../BlobVerifierSevHashes.c | 17 ++++++++++++++++- + OvmfPkg/Include/Library/BlobVerifierLib.h | 11 +++++++---- + .../BlobVerifierLibNull/BlobVerifierNull.c | 13 ++++++++----- + .../QemuKernelLoaderFsDxe.c | 9 ++++----- + 4 files changed, 35 insertions(+), 15 deletions(-) + +diff --git a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c +index 2e58794c3c..6477c5c3d3 100644 +--- a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c ++++ b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c +@@ -80,6 +80,7 @@ FindBlobEntryGuid ( + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes ++ @param[in] FetchStatus The status of the previous blob fetch + + @retval EFI_SUCCESS The blob was verified successfully. + @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore +@@ -90,13 +91,27 @@ EFIAPI + VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, +- IN UINT32 BufSize ++ IN UINT32 BufSize, ++ IN EFI_STATUS FetchStatus + ) + { + CONST GUID *Guid; + INT32 Remaining; + HASH_TABLE *Entry; + ++ // Enter a dead loop if the fetching of this blob ++ // failed. This prevents a malicious host from ++ // circumventing the following checks. ++ if (EFI_ERROR (FetchStatus)) { ++ DEBUG (( ++ DEBUG_ERROR, ++ "%a: Fetching blob failed.\n", ++ __func__ ++ )); ++ ++ CpuDeadLoop (); ++ } ++ + if ((mHashesTable == NULL) || (mHashesTableSize == 0)) { + DEBUG (( + DEBUG_ERROR, +diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Library/BlobVerifierLib.h +index 7e1af27574..09af1b77de 100644 +--- a/OvmfPkg/Include/Library/BlobVerifierLib.h ++++ b/OvmfPkg/Include/Library/BlobVerifierLib.h +@@ -22,17 +22,20 @@ + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes ++ @param[in] FetchStatus The status of fetching this blob + +- @retval EFI_SUCCESS The blob was verified successfully. +- @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore +- should be considered non-secure. ++ @retval EFI_SUCCESS The blob was verified successfully or was not ++ found in the hash table. ++ @retval EFI_ACCESS_DENIED Kernel hashes not supported but the boot can ++ continue safely. + **/ + EFI_STATUS + EFIAPI + VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, +- IN UINT32 BufSize ++ IN UINT32 BufSize, ++ IN EFI_STATUS FetchStatus + ); + + #endif +diff --git a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c +index e817c3cc95..db5320571c 100644 +--- a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c ++++ b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c +@@ -16,18 +16,21 @@ + @param[in] BlobName The name of the blob + @param[in] Buf The data of the blob + @param[in] BufSize The size of the blob in bytes ++ @param[in] FetchStatus The status of the fetch of this blob + +- @retval EFI_SUCCESS The blob was verified successfully. +- @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore +- should be considered non-secure. ++ @retval EFI_SUCCESS The blob was verified successfully or was not ++ found in the hash table. ++ @retval EFI_ACCESS_DENIED Kernel hashes not supported but the boot can ++ continue safely. + **/ + EFI_STATUS + EFIAPI + VerifyBlob ( + IN CONST CHAR16 *BlobName, + IN CONST VOID *Buf, +- IN UINT32 BufSize ++ IN UINT32 BufSize, ++ IN EFI_STATUS FetchStatus + ) + { +- return EFI_SUCCESS; ++ return FetchStatus; + } +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 3c12085f6c..cf58c97cd2 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -1042,6 +1042,7 @@ QemuKernelLoaderFsDxeEntrypoint ( + KERNEL_BLOB *CurrentBlob; + KERNEL_BLOB *KernelBlob; + EFI_STATUS Status; ++ EFI_STATUS FetchStatus; + EFI_HANDLE FileSystemHandle; + EFI_HANDLE InitrdLoadFile2Handle; + +@@ -1060,15 +1061,13 @@ QemuKernelLoaderFsDxeEntrypoint ( + // + for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) { + CurrentBlob = &mKernelBlob[BlobType]; +- Status = FetchBlob (CurrentBlob); +- if (EFI_ERROR (Status)) { +- goto FreeBlobs; +- } ++ FetchStatus = FetchBlob (CurrentBlob); + + Status = VerifyBlob ( + CurrentBlob->Name, + CurrentBlob->Data, +- CurrentBlob->Size ++ CurrentBlob->Size, ++ FetchStatus + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch new file mode 100644 index 0000000000..5cdbb12f19 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch @@ -0,0 +1,762 @@ +From 459f5ffa24ae8574657c4105af0ff7dc30ac428d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 14 Jan 2025 17:36:39 +0100 +Subject: [PATCH 01/10] OvmfPkg/QemuKernelLoaderFsDxe: rework direct kernel + boot filesystem + +Split KERNEL_BLOB struct into two: + + * One (KERNEL_BLOB_ITEMS) static array describing how to load (unnamed) + blobs from fw_cfg. + * And one (KERNEL_BLOB) dynamically allocated linked list carrying the + data blobs for the pseudo filesystem. + +Also add some debug logging. Prefix most functions with 'QemuKernel' +for consistency and easier log file grepping. Add some small helper +functions. + +This refactoring prepares for loading blobs in other ways. +No (intentional) change in filesystem protocol behavior. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/459f5ffa24ae8574657c4105af0ff7dc30ac428d] +Signed-off-by: Hongxu Jia +--- + .../QemuKernelLoaderFsDxe.c | 345 +++++++++++------- + 1 file changed, 205 insertions(+), 140 deletions(-) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index cf58c97cd2..7ad1b3828f 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -31,13 +31,6 @@ + // + // Static data that hosts the fw_cfg blobs and serves file requests. + // +-typedef enum { +- KernelBlobTypeKernel, +- KernelBlobTypeInitrd, +- KernelBlobTypeCommandLine, +- KernelBlobTypeMax +-} KERNEL_BLOB_TYPE; +- + typedef struct { + CONST CHAR16 Name[8]; + struct { +@@ -45,11 +38,17 @@ typedef struct { + FIRMWARE_CONFIG_ITEM CONST DataKey; + UINT32 Size; + } FwCfgItem[2]; +- UINT32 Size; +- UINT8 *Data; +-} KERNEL_BLOB; ++} KERNEL_BLOB_ITEMS; ++ ++typedef struct KERNEL_BLOB KERNEL_BLOB; ++struct KERNEL_BLOB { ++ CHAR16 Name[8]; ++ UINT32 Size; ++ UINT8 *Data; ++ KERNEL_BLOB *Next; ++}; + +-STATIC KERNEL_BLOB mKernelBlob[KernelBlobTypeMax] = { ++STATIC KERNEL_BLOB_ITEMS mKernelBlobItems[] = { + { + L"kernel", + { +@@ -69,7 +68,9 @@ STATIC KERNEL_BLOB mKernelBlob[KernelBlobTypeMax] = { + } + }; + +-STATIC UINT64 mTotalBlobBytes; ++STATIC KERNEL_BLOB *mKernelBlobs; ++STATIC UINT64 mKernelBlobCount; ++STATIC UINT64 mTotalBlobBytes; + + // + // Device path for the handle that incorporates our "EFI stub filesystem". +@@ -117,7 +118,7 @@ STATIC EFI_TIME mInitTime; + typedef struct { + UINT64 Signature; // Carries STUB_FILE_SIG. + +- KERNEL_BLOB_TYPE BlobType; // Index into mKernelBlob. KernelBlobTypeMax ++ KERNEL_BLOB *Blob; // Index into mKernelBlob. KernelBlobTypeMax + // denotes the root directory of the filesystem. + + UINT64 Position; // Byte position for regular files; +@@ -177,7 +178,7 @@ typedef struct { + STATIC + EFI_STATUS + EFIAPI +-StubFileOpen ( ++QemuKernelStubFileOpen ( + IN EFI_FILE_PROTOCOL *This, + OUT EFI_FILE_PROTOCOL **NewHandle, + IN CHAR16 *FileName, +@@ -196,7 +197,7 @@ StubFileOpen ( + STATIC + EFI_STATUS + EFIAPI +-StubFileClose ( ++QemuKernelStubFileClose ( + IN EFI_FILE_PROTOCOL *This + ) + { +@@ -219,7 +220,7 @@ StubFileClose ( + STATIC + EFI_STATUS + EFIAPI +-StubFileDelete ( ++QemuKernelStubFileDelete ( + IN EFI_FILE_PROTOCOL *This + ) + { +@@ -229,18 +230,17 @@ StubFileDelete ( + + /** + Helper function that formats an EFI_FILE_INFO structure into the +- user-allocated buffer, for any valid KERNEL_BLOB_TYPE value (including +- KernelBlobTypeMax, which stands for the root directory). ++ user-allocated buffer, for any valid KERNEL_BLOB (including NULL, ++ which stands for the root directory). + + The interface follows the EFI_FILE_GET_INFO -- and for directories, the + EFI_FILE_READ -- interfaces. + +- @param[in] BlobType The KERNEL_BLOB_TYPE value identifying the fw_cfg ++ @param[in] Blob The KERNEL_BLOB identifying the fw_cfg + blob backing the STUB_FILE that information is +- being requested about. If BlobType equals +- KernelBlobTypeMax, then information will be +- provided about the root directory of the +- filesystem. ++ being requested about. If Blob is NULL, ++ then information will be provided about the root ++ directory of the filesystem. + + @param[in,out] BufferSize On input, the size of Buffer. On output, the + amount of data returned in Buffer. In both cases, +@@ -257,10 +257,10 @@ StubFileDelete ( + **/ + STATIC + EFI_STATUS +-ConvertKernelBlobTypeToFileInfo ( +- IN KERNEL_BLOB_TYPE BlobType, +- IN OUT UINTN *BufferSize, +- OUT VOID *Buffer ++QemuKernelBlobTypeToFileInfo ( ++ IN KERNEL_BLOB *Blob, ++ IN OUT UINTN *BufferSize, ++ OUT VOID *Buffer + ) + { + CONST CHAR16 *Name; +@@ -272,17 +272,16 @@ ConvertKernelBlobTypeToFileInfo ( + EFI_FILE_INFO *FileInfo; + UINTN OriginalBufferSize; + +- if (BlobType == KernelBlobTypeMax) { ++ if (Blob == NULL) { + // + // getting file info about the root directory + // ++ DEBUG ((DEBUG_INFO, "%a: file info: directory\n", __func__)); + Name = L"\\"; +- FileSize = KernelBlobTypeMax; ++ FileSize = mKernelBlobCount; + Attribute = EFI_FILE_READ_ONLY | EFI_FILE_DIRECTORY; + } else { +- CONST KERNEL_BLOB *Blob; +- +- Blob = &mKernelBlob[BlobType]; ++ DEBUG ((DEBUG_INFO, "%a: file info: \"%s\"\n", __func__, Blob->Name)); + Name = Blob->Name; + FileSize = Blob->Size; + Attribute = EFI_FILE_READ_ONLY; +@@ -312,6 +311,23 @@ ConvertKernelBlobTypeToFileInfo ( + return EFI_SUCCESS; + } + ++STATIC ++KERNEL_BLOB * ++FindKernelBlob ( ++ CHAR16 *FileName ++ ) ++{ ++ KERNEL_BLOB *Blob; ++ ++ for (Blob = mKernelBlobs; Blob != NULL; Blob = Blob->Next) { ++ if (StrCmp (FileName, Blob->Name) == 0) { ++ return Blob; ++ } ++ } ++ ++ return NULL; ++} ++ + /** + Reads data from a file, or continues scanning a directory. + +@@ -349,25 +365,25 @@ ConvertKernelBlobTypeToFileInfo ( + STATIC + EFI_STATUS + EFIAPI +-StubFileRead ( ++QemuKernelStubFileRead ( + IN EFI_FILE_PROTOCOL *This, + IN OUT UINTN *BufferSize, + OUT VOID *Buffer + ) + { +- STUB_FILE *StubFile; +- CONST KERNEL_BLOB *Blob; +- UINT64 Left; ++ STUB_FILE *StubFile; ++ KERNEL_BLOB *Blob; ++ UINT64 Left, Pos; + + StubFile = STUB_FILE_FROM_FILE (This); + + // + // Scanning the root directory? + // +- if (StubFile->BlobType == KernelBlobTypeMax) { ++ if (StubFile->Blob == NULL) { + EFI_STATUS Status; + +- if (StubFile->Position == KernelBlobTypeMax) { ++ if (StubFile->Position == mKernelBlobCount) { + // + // Scanning complete. + // +@@ -375,8 +391,16 @@ StubFileRead ( + return EFI_SUCCESS; + } + +- Status = ConvertKernelBlobTypeToFileInfo ( +- (KERNEL_BLOB_TYPE)StubFile->Position, ++ for (Pos = 0, Blob = mKernelBlobs; ++ Pos < StubFile->Position; ++ Pos++, Blob = Blob->Next) ++ { ++ } ++ ++ DEBUG ((DEBUG_INFO, "%a: file list: #%d \"%s\"\n", __func__, Pos, Blob->Name)); ++ ++ Status = QemuKernelBlobTypeToFileInfo ( ++ Blob, + BufferSize, + Buffer + ); +@@ -391,7 +415,7 @@ StubFileRead ( + // + // Reading a file. + // +- Blob = &mKernelBlob[StubFile->BlobType]; ++ Blob = StubFile->Blob; + if (StubFile->Position > Blob->Size) { + return EFI_DEVICE_ERROR; + } +@@ -402,6 +426,7 @@ StubFileRead ( + } + + if (Blob->Data != NULL) { ++ DEBUG ((DEBUG_INFO, "%a: file read: \"%s\", %d bytes\n", __func__, Blob->Name, *BufferSize)); + CopyMem (Buffer, Blob->Data + StubFile->Position, *BufferSize); + } + +@@ -435,7 +460,7 @@ StubFileRead ( + STATIC + EFI_STATUS + EFIAPI +-StubFileWrite ( ++QemuKernelStubFileWrite ( + IN EFI_FILE_PROTOCOL *This, + IN OUT UINTN *BufferSize, + IN VOID *Buffer +@@ -444,7 +469,7 @@ StubFileWrite ( + STUB_FILE *StubFile; + + StubFile = STUB_FILE_FROM_FILE (This); +- return (StubFile->BlobType == KernelBlobTypeMax) ? ++ return (StubFile->Blob == NULL) ? + EFI_UNSUPPORTED : + EFI_WRITE_PROTECTED; + } +@@ -466,7 +491,7 @@ StubFileWrite ( + STATIC + EFI_STATUS + EFIAPI +-StubFileGetPosition ( ++QemuKernelStubFileGetPosition ( + IN EFI_FILE_PROTOCOL *This, + OUT UINT64 *Position + ) +@@ -474,7 +499,7 @@ StubFileGetPosition ( + STUB_FILE *StubFile; + + StubFile = STUB_FILE_FROM_FILE (This); +- if (StubFile->BlobType == KernelBlobTypeMax) { ++ if (StubFile->Blob == NULL) { + return EFI_UNSUPPORTED; + } + +@@ -501,7 +526,7 @@ StubFileGetPosition ( + STATIC + EFI_STATUS + EFIAPI +-StubFileSetPosition ( ++QemuKernelStubFileSetPosition ( + IN EFI_FILE_PROTOCOL *This, + IN UINT64 Position + ) +@@ -511,7 +536,7 @@ StubFileSetPosition ( + + StubFile = STUB_FILE_FROM_FILE (This); + +- if (StubFile->BlobType == KernelBlobTypeMax) { ++ if (StubFile->Blob == NULL) { + if (Position == 0) { + // + // rewinding a directory scan is allowed +@@ -526,7 +551,7 @@ StubFileSetPosition ( + // + // regular file seek + // +- Blob = &mKernelBlob[StubFile->BlobType]; ++ Blob = StubFile->Blob; + if (Position == MAX_UINT64) { + // + // seek to end +@@ -583,7 +608,7 @@ StubFileSetPosition ( + STATIC + EFI_STATUS + EFIAPI +-StubFileGetInfo ( ++QemuKernelStubFileGetInfo ( + IN EFI_FILE_PROTOCOL *This, + IN EFI_GUID *InformationType, + IN OUT UINTN *BufferSize, +@@ -596,8 +621,8 @@ StubFileGetInfo ( + StubFile = STUB_FILE_FROM_FILE (This); + + if (CompareGuid (InformationType, &gEfiFileInfoGuid)) { +- return ConvertKernelBlobTypeToFileInfo ( +- StubFile->BlobType, ++ return QemuKernelBlobTypeToFileInfo ( ++ StubFile->Blob, + BufferSize, + Buffer + ); +@@ -685,7 +710,7 @@ StubFileGetInfo ( + STATIC + EFI_STATUS + EFIAPI +-StubFileSetInfo ( ++QemuKernelStubFileSetInfo ( + IN EFI_FILE_PROTOCOL *This, + IN EFI_GUID *InformationType, + IN UINTN BufferSize, +@@ -712,7 +737,7 @@ StubFileSetInfo ( + STATIC + EFI_STATUS + EFIAPI +-StubFileFlush ( ++QemuKernelStubFileFlush ( + IN EFI_FILE_PROTOCOL *This + ) + { +@@ -724,16 +749,16 @@ StubFileFlush ( + // + STATIC CONST EFI_FILE_PROTOCOL mEfiFileProtocolTemplate = { + EFI_FILE_PROTOCOL_REVISION, // revision 1 +- StubFileOpen, +- StubFileClose, +- StubFileDelete, +- StubFileRead, +- StubFileWrite, +- StubFileGetPosition, +- StubFileSetPosition, +- StubFileGetInfo, +- StubFileSetInfo, +- StubFileFlush, ++ QemuKernelStubFileOpen, ++ QemuKernelStubFileClose, ++ QemuKernelStubFileDelete, ++ QemuKernelStubFileRead, ++ QemuKernelStubFileWrite, ++ QemuKernelStubFileGetPosition, ++ QemuKernelStubFileSetPosition, ++ QemuKernelStubFileGetInfo, ++ QemuKernelStubFileSetInfo, ++ QemuKernelStubFileFlush, + NULL, // OpenEx, revision 2 + NULL, // ReadEx, revision 2 + NULL, // WriteEx, revision 2 +@@ -743,7 +768,7 @@ STATIC CONST EFI_FILE_PROTOCOL mEfiFileProtocolTemplate = { + STATIC + EFI_STATUS + EFIAPI +-StubFileOpen ( ++QemuKernelStubFileOpen ( + IN EFI_FILE_PROTOCOL *This, + OUT EFI_FILE_PROTOCOL **NewHandle, + IN CHAR16 *FileName, +@@ -752,7 +777,7 @@ StubFileOpen ( + ) + { + CONST STUB_FILE *StubFile; +- UINTN BlobType; ++ KERNEL_BLOB *Blob; + STUB_FILE *NewStubFile; + + // +@@ -774,21 +799,20 @@ StubFileOpen ( + // Only the root directory supports opening files in it. + // + StubFile = STUB_FILE_FROM_FILE (This); +- if (StubFile->BlobType != KernelBlobTypeMax) { ++ if (StubFile->Blob != NULL) { + return EFI_UNSUPPORTED; + } + + // + // Locate the file. + // +- for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) { +- if (StrCmp (FileName, mKernelBlob[BlobType].Name) == 0) { +- break; +- } +- } ++ Blob = FindKernelBlob (FileName); + +- if (BlobType == KernelBlobTypeMax) { ++ if (Blob == NULL) { ++ DEBUG ((DEBUG_INFO, "%a: file not found: \"%s\"\n", __func__, FileName)); + return EFI_NOT_FOUND; ++ } else { ++ DEBUG ((DEBUG_INFO, "%a: file opened: \"%s\"\n", __func__, FileName)); + } + + // +@@ -800,7 +824,7 @@ StubFileOpen ( + } + + NewStubFile->Signature = STUB_FILE_SIG; +- NewStubFile->BlobType = (KERNEL_BLOB_TYPE)BlobType; ++ NewStubFile->Blob = Blob; + NewStubFile->Position = 0; + CopyMem ( + &NewStubFile->File, +@@ -842,7 +866,7 @@ StubFileOpen ( + STATIC + EFI_STATUS + EFIAPI +-StubFileSystemOpenVolume ( ++QemuKernelStubFileSystemOpenVolume ( + IN EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *This, + OUT EFI_FILE_PROTOCOL **Root + ) +@@ -855,7 +879,7 @@ StubFileSystemOpenVolume ( + } + + StubFile->Signature = STUB_FILE_SIG; +- StubFile->BlobType = KernelBlobTypeMax; ++ StubFile->Blob = NULL; + StubFile->Position = 0; + CopyMem ( + &StubFile->File, +@@ -869,13 +893,13 @@ StubFileSystemOpenVolume ( + + STATIC CONST EFI_SIMPLE_FILE_SYSTEM_PROTOCOL mFileSystem = { + EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_REVISION, +- StubFileSystemOpenVolume ++ QemuKernelStubFileSystemOpenVolume + }; + + STATIC + EFI_STATUS + EFIAPI +-InitrdLoadFile2 ( ++QemuKernelInitrdLoadFile2 ( + IN EFI_LOAD_FILE2_PROTOCOL *This, + IN EFI_DEVICE_PATH_PROTOCOL *FilePath, + IN BOOLEAN BootPolicy, +@@ -883,8 +907,11 @@ InitrdLoadFile2 ( + OUT VOID *Buffer OPTIONAL + ) + { +- CONST KERNEL_BLOB *InitrdBlob = &mKernelBlob[KernelBlobTypeInitrd]; ++ KERNEL_BLOB *InitrdBlob; + ++ DEBUG ((DEBUG_INFO, "%a: initrd read\n", __func__)); ++ InitrdBlob = FindKernelBlob (L"initrd"); ++ ASSERT (InitrdBlob != NULL); + ASSERT (InitrdBlob->Size > 0); + + if (BootPolicy) { +@@ -913,17 +940,33 @@ InitrdLoadFile2 ( + } + + STATIC CONST EFI_LOAD_FILE2_PROTOCOL mInitrdLoadFile2 = { +- InitrdLoadFile2, ++ QemuKernelInitrdLoadFile2, + }; + + // + // Utility functions. + // + ++STATIC VOID ++QemuKernelChunkedRead ( ++ UINT8 *Dest, ++ UINT32 Bytes ++ ) ++{ ++ UINT32 Chunk; ++ ++ while (Bytes > 0) { ++ Chunk = (Bytes < SIZE_1MB) ? Bytes : SIZE_1MB; ++ QemuFwCfgReadBytes (Chunk, Dest); ++ Bytes -= Chunk; ++ Dest += Chunk; ++ } ++} ++ + /** + Populate a blob in mKernelBlob. + +- param[in,out] Blob Pointer to the KERNEL_BLOB element in mKernelBlob that is ++ param[in,out] Blob Pointer to the KERNEL_BLOB_ITEMS that is + to be filled from fw_cfg. + + @retval EFI_SUCCESS Blob has been populated. If fw_cfg reported a +@@ -934,35 +977,46 @@ STATIC CONST EFI_LOAD_FILE2_PROTOCOL mInitrdLoadFile2 = { + **/ + STATIC + EFI_STATUS +-FetchBlob ( +- IN OUT KERNEL_BLOB *Blob ++QemuKernelFetchBlob ( ++ IN KERNEL_BLOB_ITEMS *BlobItems + ) + { +- UINT32 Left; +- UINTN Idx; +- UINT8 *ChunkData; ++ UINT32 Size; ++ UINTN Idx; ++ UINT8 *ChunkData; ++ KERNEL_BLOB *Blob; ++ EFI_STATUS Status; + + // + // Read blob size. + // +- Blob->Size = 0; +- for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) { +- if (Blob->FwCfgItem[Idx].SizeKey == 0) { ++ for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) { ++ if (BlobItems->FwCfgItem[Idx].SizeKey == 0) { + break; + } + +- QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].SizeKey); +- Blob->FwCfgItem[Idx].Size = QemuFwCfgRead32 (); +- Blob->Size += Blob->FwCfgItem[Idx].Size; ++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey); ++ BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 (); ++ Size += BlobItems->FwCfgItem[Idx].Size; + } + +- if (Blob->Size == 0) { ++ if (Size == 0) { + return EFI_SUCCESS; + } + ++ Blob = AllocatePool (sizeof (*Blob)); ++ if (Blob->Data == NULL) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ ZeroMem (Blob, sizeof (*Blob)); ++ + // + // Read blob. + // ++ Status = StrCpyS (Blob->Name, sizeof (Blob->Name), BlobItems->Name); ++ ASSERT (!EFI_ERROR (Status)); ++ Blob->Size = Size; + Blob->Data = AllocatePool (Blob->Size); + if (Blob->Data == NULL) { + DEBUG (( +@@ -972,6 +1026,7 @@ FetchBlob ( + (INT64)Blob->Size, + Blob->Name + )); ++ FreePool (Blob); + return EFI_OUT_OF_RESOURCES; + } + +@@ -984,34 +1039,48 @@ FetchBlob ( + )); + + ChunkData = Blob->Data; +- for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) { +- if (Blob->FwCfgItem[Idx].DataKey == 0) { ++ for (Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) { ++ if (BlobItems->FwCfgItem[Idx].DataKey == 0) { + break; + } + +- QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].DataKey); ++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].DataKey); ++ QemuKernelChunkedRead (ChunkData, BlobItems->FwCfgItem[Idx].Size); ++ ChunkData += BlobItems->FwCfgItem[Idx].Size; ++ } + +- Left = Blob->FwCfgItem[Idx].Size; +- while (Left > 0) { +- UINT32 Chunk; ++ Blob->Next = mKernelBlobs; ++ mKernelBlobs = Blob; ++ mKernelBlobCount++; ++ mTotalBlobBytes += Blob->Size; ++ return EFI_SUCCESS; ++} + +- Chunk = (Left < SIZE_1MB) ? Left : SIZE_1MB; +- QemuFwCfgReadBytes (Chunk, ChunkData + Blob->FwCfgItem[Idx].Size - Left); +- Left -= Chunk; +- DEBUG (( +- DEBUG_VERBOSE, +- "%a: %Ld bytes remaining for \"%s\" (%d)\n", +- __func__, +- (INT64)Left, +- Blob->Name, +- (INT32)Idx +- )); +- } ++STATIC ++EFI_STATUS ++QemuKernelVerifyBlob ( ++ CHAR16 *FileName, ++ EFI_STATUS FetchStatus ++ ) ++{ ++ KERNEL_BLOB *Blob; ++ EFI_STATUS Status; + +- ChunkData += Blob->FwCfgItem[Idx].Size; ++ if ((StrCmp (FileName, L"kernel") != 0) && ++ (StrCmp (FileName, L"initrd") != 0) && ++ (StrCmp (FileName, L"cmdline") != 0)) ++ { ++ return EFI_SUCCESS; + } + +- return EFI_SUCCESS; ++ Blob = FindKernelBlob (FileName); ++ Status = VerifyBlob ( ++ FileName, ++ Blob ? Blob->Data : NULL, ++ Blob ? Blob->Size : 0, ++ FetchStatus ++ ); ++ return Status; + } + + // +@@ -1038,13 +1107,13 @@ QemuKernelLoaderFsDxeEntrypoint ( + IN EFI_SYSTEM_TABLE *SystemTable + ) + { +- UINTN BlobType; +- KERNEL_BLOB *CurrentBlob; +- KERNEL_BLOB *KernelBlob; +- EFI_STATUS Status; +- EFI_STATUS FetchStatus; +- EFI_HANDLE FileSystemHandle; +- EFI_HANDLE InitrdLoadFile2Handle; ++ UINTN BlobIdx; ++ KERNEL_BLOB_ITEMS *BlobItems; ++ KERNEL_BLOB *Blob; ++ EFI_STATUS Status; ++ EFI_STATUS FetchStatus; ++ EFI_HANDLE FileSystemHandle; ++ EFI_HANDLE InitrdLoadFile2Handle; + + if (!QemuFwCfgIsAvailable ()) { + return EFI_NOT_FOUND; +@@ -1059,26 +1128,22 @@ QemuKernelLoaderFsDxeEntrypoint ( + // + // Fetch all blobs. + // +- for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) { +- CurrentBlob = &mKernelBlob[BlobType]; +- FetchStatus = FetchBlob (CurrentBlob); +- +- Status = VerifyBlob ( +- CurrentBlob->Name, +- CurrentBlob->Data, +- CurrentBlob->Size, ++ for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) { ++ BlobItems = &mKernelBlobItems[BlobIdx]; ++ FetchStatus = QemuKernelFetchBlob (BlobItems); ++ ++ Status = QemuKernelVerifyBlob ( ++ (CHAR16 *)BlobItems->Name, + FetchStatus + ); + if (EFI_ERROR (Status)) { + goto FreeBlobs; + } +- +- mTotalBlobBytes += CurrentBlob->Size; + } + +- KernelBlob = &mKernelBlob[KernelBlobTypeKernel]; +- +- if (KernelBlob->Data == NULL) { ++ Blob = FindKernelBlob (L"kernel"); ++ if (Blob == NULL) { ++ DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__)); + Status = EFI_NOT_FOUND; + goto FreeBlobs; + } +@@ -1106,7 +1171,9 @@ QemuKernelLoaderFsDxeEntrypoint ( + goto FreeBlobs; + } + +- if (KernelBlob[KernelBlobTypeInitrd].Size > 0) { ++ Blob = FindKernelBlob (L"initrd"); ++ if (Blob != NULL) { ++ DEBUG ((DEBUG_INFO, "%a: initrd setup\n", __func__)); + InitrdLoadFile2Handle = NULL; + Status = gBS->InstallMultipleProtocolInterfaces ( + &InitrdLoadFile2Handle, +@@ -1141,13 +1208,11 @@ UninstallFileSystemHandle: + ASSERT_EFI_ERROR (Status); + + FreeBlobs: +- while (BlobType > 0) { +- CurrentBlob = &mKernelBlob[--BlobType]; +- if (CurrentBlob->Data != NULL) { +- FreePool (CurrentBlob->Data); +- CurrentBlob->Size = 0; +- CurrentBlob->Data = NULL; +- } ++ while (mKernelBlobs != NULL) { ++ Blob = mKernelBlobs; ++ mKernelBlobs = Blob->Next; ++ FreePool (Blob->Data); ++ FreePool (Blob); + } + + return Status; +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch new file mode 100644 index 0000000000..964ee306bf --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch @@ -0,0 +1,175 @@ +From 20df7c42bd446fe725bfc78cdb40577456c421d8 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 15 Jan 2025 00:29:52 +0100 +Subject: [PATCH 02/10] OvmfPkg/QemuKernelLoaderFsDxe: add support for named + blobs + +Load all named fw_cfg blobs with "etc/boot/" prefix into the pseudo +filesystem. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/20df7c42bd446fe725bfc78cdb40577456c421d8] +Signed-off-by: Hongxu Jia +--- + .../QemuKernelLoaderFsDxe.c | 94 ++++++++++++++++--- + .../QemuKernelLoaderFsDxe.inf | 1 + + 2 files changed, 84 insertions(+), 11 deletions(-) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 7ad1b3828f..1f63adda0b 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -32,12 +33,12 @@ + // Static data that hosts the fw_cfg blobs and serves file requests. + // + typedef struct { +- CONST CHAR16 Name[8]; ++ CHAR16 Name[8]; + struct { +- FIRMWARE_CONFIG_ITEM CONST SizeKey; +- FIRMWARE_CONFIG_ITEM CONST DataKey; +- UINT32 Size; +- } FwCfgItem[2]; ++ FIRMWARE_CONFIG_ITEM SizeKey; ++ FIRMWARE_CONFIG_ITEM DataKey; ++ UINT32 Size; ++ } FwCfgItem[2]; + } KERNEL_BLOB_ITEMS; + + typedef struct KERNEL_BLOB KERNEL_BLOB; +@@ -989,15 +990,23 @@ QemuKernelFetchBlob ( + + // + // Read blob size. ++ // Size != 0 -> use size as-is ++ // SizeKey != 0 -> read size from fw_cfg ++ // both are 0 -> unused entry + // + for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) { +- if (BlobItems->FwCfgItem[Idx].SizeKey == 0) { ++ if ((BlobItems->FwCfgItem[Idx].SizeKey == 0) && ++ (BlobItems->FwCfgItem[Idx].Size == 0)) ++ { + break; + } + +- QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey); +- BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 (); +- Size += BlobItems->FwCfgItem[Idx].Size; ++ if (BlobItems->FwCfgItem[Idx].SizeKey) { ++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey); ++ BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 (); ++ } ++ ++ Size += BlobItems->FwCfgItem[Idx].Size; + } + + if (Size == 0) { +@@ -1083,6 +1092,55 @@ QemuKernelVerifyBlob ( + return Status; + } + ++STATIC ++EFI_STATUS ++QemuKernelFetchNamedBlobs ( ++ VOID ++ ) ++{ ++ struct { ++ UINT32 FileSize; ++ UINT16 FileSelect; ++ UINT16 Reserved; ++ CHAR8 FileName[QEMU_FW_CFG_FNAME_SIZE]; ++ } *DirEntry; ++ KERNEL_BLOB_ITEMS Items; ++ EFI_STATUS Status; ++ EFI_STATUS FetchStatus; ++ UINT32 Count; ++ UINT32 Idx; ++ ++ QemuFwCfgSelectItem (QemuFwCfgItemFileDir); ++ Count = SwapBytes32 (QemuFwCfgRead32 ()); ++ ++ DirEntry = AllocatePool (sizeof (*DirEntry) * Count); ++ QemuFwCfgReadBytes (sizeof (*DirEntry) * Count, DirEntry); ++ ++ for (Idx = 0; Idx < Count; ++Idx) { ++ if (AsciiStrnCmp (DirEntry[Idx].FileName, "etc/boot/", 9) != 0) { ++ continue; ++ } ++ ++ ZeroMem (&Items, sizeof (Items)); ++ UnicodeSPrint (Items.Name, sizeof (Items.Name), L"%a", DirEntry[Idx].FileName + 9); ++ Items.FwCfgItem[0].DataKey = SwapBytes16 (DirEntry[Idx].FileSelect); ++ Items.FwCfgItem[0].Size = SwapBytes32 (DirEntry[Idx].FileSize); ++ ++ FetchStatus = QemuKernelFetchBlob (&Items); ++ Status = QemuKernelVerifyBlob ( ++ (CHAR16 *)Items.Name, ++ FetchStatus ++ ); ++ if (EFI_ERROR (Status)) { ++ FreePool (DirEntry); ++ return Status; ++ } ++ } ++ ++ FreePool (DirEntry); ++ return EFI_SUCCESS; ++} ++ + // + // The entry point of the feature. + // +@@ -1126,10 +1184,24 @@ QemuKernelLoaderFsDxeEntrypoint ( + } + + // +- // Fetch all blobs. ++ // Fetch named blobs. + // ++ DEBUG ((DEBUG_INFO, "%a: named blobs (etc/boot/*)\n", __func__)); ++ Status = QemuKernelFetchNamedBlobs (); ++ if (EFI_ERROR (Status)) { ++ goto FreeBlobs; ++ } ++ ++ // ++ // Fetch traditional blobs. ++ // ++ DEBUG ((DEBUG_INFO, "%a: traditional blobs\n", __func__)); + for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) { +- BlobItems = &mKernelBlobItems[BlobIdx]; ++ BlobItems = &mKernelBlobItems[BlobIdx]; ++ if (FindKernelBlob (BlobItems->Name)) { ++ continue; ++ } ++ + FetchStatus = QemuKernelFetchBlob (BlobItems); + + Status = QemuKernelVerifyBlob ( +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +index 7b35adb8e0..a2f44bbca1 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf +@@ -30,6 +30,7 @@ + DebugLib + DevicePathLib + MemoryAllocationLib ++ PrintLib + QemuFwCfgLib + UefiBootServicesTableLib + UefiDriverEntryPoint +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch new file mode 100644 index 0000000000..0ea2a70bf5 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch @@ -0,0 +1,42 @@ +From adf385ecab69631952bdc8b774ebd77e82b94a00 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 16 Jan 2025 15:42:13 +0100 +Subject: [PATCH 03/10] OvmfPkg/QemuKernelLoaderFsDxe: allow longer file names + +QEMU_FW_CFG_FNAME_SIZE is 56. 'etc/boot/' prefix is minus 9. Add one +for the terminating '\0'. Effective max size is 48. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/adf385ecab69631952bdc8b774ebd77e82b94a00] +Signed-off-by: Hongxu Jia +--- + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 1f63adda0b..0947b6bf2d 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -33,7 +33,7 @@ + // Static data that hosts the fw_cfg blobs and serves file requests. + // + typedef struct { +- CHAR16 Name[8]; ++ CHAR16 Name[48]; + struct { + FIRMWARE_CONFIG_ITEM SizeKey; + FIRMWARE_CONFIG_ITEM DataKey; +@@ -43,7 +43,7 @@ typedef struct { + + typedef struct KERNEL_BLOB KERNEL_BLOB; + struct KERNEL_BLOB { +- CHAR16 Name[8]; ++ CHAR16 Name[48]; + UINT32 Size; + UINT8 *Data; + KERNEL_BLOB *Next; +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch new file mode 100644 index 0000000000..bba3b51c78 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch @@ -0,0 +1,34 @@ +From 1111e9fe7078eed9e5c50e1808776ee40a629e16 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 16 Jan 2025 15:52:54 +0100 +Subject: [PATCH 04/10] OvmfPkg/QemuKernelLoaderFsDxe: drop bogus assert + +Triggers when trying to get root directory info. +Reproducer: + * Use qemu -kernel with something edk2 can not load. + * When dropped into the efi shell try inspect the file system. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1111e9fe7078eed9e5c50e1808776ee40a629e16] +Signed-off-by: Hongxu Jia +--- + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 0947b6bf2d..3e1a876bf0 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -290,7 +290,6 @@ QemuKernelBlobTypeToFileInfo ( + + NameSize = (StrLen (Name) + 1) * 2; + FileInfoSize = OFFSET_OF (EFI_FILE_INFO, FileName) + NameSize; +- ASSERT (FileInfoSize >= sizeof *FileInfo); + + OriginalBufferSize = *BufferSize; + *BufferSize = FileInfoSize; +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch new file mode 100644 index 0000000000..e3a8292356 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch @@ -0,0 +1,36 @@ +From 46ae4e4b9574530e5081e98af0495d6f6d28379f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 16 Jan 2025 16:03:01 +0100 +Subject: [PATCH 05/10] OvmfPkg/QemuKernelLoaderFsDxe: accept absolute paths + +EFI shell looks for "\startup.nsh". +Try "-fw_cfg name=etc/boot/startup.nsh,string='echo hello'" ;) + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/46ae4e4b9574530e5081e98af0495d6f6d28379f] +Signed-off-by: Hongxu Jia +--- + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 3e1a876bf0..5b90420dad 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -806,6 +806,11 @@ QemuKernelStubFileOpen ( + // + // Locate the file. + // ++ if (FileName[0] == '\\') { ++ // also accept absolute paths, i.e. '\kernel' for 'kernel' ++ FileName++; ++ } ++ + Blob = FindKernelBlob (FileName); + + if (Blob == NULL) { +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch new file mode 100644 index 0000000000..3515efe008 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch @@ -0,0 +1,54 @@ +From c45051450efbdae4a38f07998b3e7b77abe7173a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 20 Jan 2025 11:28:37 +0100 +Subject: [PATCH 06/10] OvmfPkg/QemuKernelLoaderFsDxe: don't quit when named + blobs are present + +Allows to use the qemu kernel loader pseudo file system for other +purposes than loading a linux kernel (or efi binary). Passing +startup.nsh for EFI shell is one example. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c45051450efbdae4a38f07998b3e7b77abe7173a] +Signed-off-by: Hongxu Jia +--- + OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +index 5b90420dad..add914daa8 100644 +--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c ++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c +@@ -71,6 +71,7 @@ STATIC KERNEL_BLOB_ITEMS mKernelBlobItems[] = { + + STATIC KERNEL_BLOB *mKernelBlobs; + STATIC UINT64 mKernelBlobCount; ++STATIC UINT64 mKernelNamedBlobCount; + STATIC UINT64 mTotalBlobBytes; + + // +@@ -1139,6 +1140,8 @@ QemuKernelFetchNamedBlobs ( + FreePool (DirEntry); + return Status; + } ++ ++ mKernelNamedBlobCount++; + } + + FreePool (DirEntry); +@@ -1218,8 +1221,8 @@ QemuKernelLoaderFsDxeEntrypoint ( + } + + Blob = FindKernelBlob (L"kernel"); +- if (Blob == NULL) { +- DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__)); ++ if ((Blob == NULL) && (mKernelNamedBlobCount == 0)) { ++ DEBUG ((DEBUG_INFO, "%a: no kernel and no named blobs present -> quit\n", __func__)); + Status = EFI_NOT_FOUND; + goto FreeBlobs; + } +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch new file mode 100644 index 0000000000..a9d9922695 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch @@ -0,0 +1,124 @@ +From 3da39f2cb681eb69f4eef54acd4b25d25cd7103d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 10 Apr 2024 17:25:03 +0200 +Subject: [PATCH 07/10] OvmfPkg/X86QemuLoadImageLib: support booting via shim + +Try load shim first. In case that succeeded update the command line to +list 'kernel' first so shim will fetch the kernel from the kernel loader +file system. + +This allows to use direct kernel boot with distro kernels and secure +boot enabled. Usually distro kernels can only be verified by distro +shim using the distro keys compiled into the shim binary. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/3da39f2cb681eb69f4eef54acd4b25d25cd7103d] +Signed-off-by: Hongxu Jia +--- + .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 56 ++++++++++++++++++- + 1 file changed, 54 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +index a7ab43ca74..e4dbc2dc7e 100644 +--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c ++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mKernelDevicePath = { + } + }; + ++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mShimDevicePath = { ++ { ++ { ++ MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP, ++ { sizeof (VENDOR_DEVICE_PATH) } ++ }, ++ QEMU_KERNEL_LOADER_FS_MEDIA_GUID ++ }, { ++ { ++ MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP, ++ { sizeof (KERNEL_FILE_DEVPATH) } ++ }, ++ L"shim", ++ }, { ++ END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE, ++ { sizeof (EFI_DEVICE_PATH_PROTOCOL) } ++ } ++}; ++ + STATIC + VOID + FreeLegacyImage ( +@@ -339,6 +358,7 @@ QemuLoadKernelImage ( + UINTN CommandLineSize; + CHAR8 *CommandLine; + UINTN InitrdSize; ++ BOOLEAN Shim; + + // + // Redundant assignment to work around GCC48/GCC49 limitations. +@@ -351,11 +371,35 @@ QemuLoadKernelImage ( + Status = gBS->LoadImage ( + FALSE, // BootPolicy: exact match required + gImageHandle, // ParentImageHandle +- (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath, ++ (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath, + NULL, // SourceBuffer + 0, // SourceSize + &KernelImageHandle + ); ++ if (Status == EFI_SUCCESS) { ++ Shim = TRUE; ++ DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__)); ++ } else { ++ Shim = FALSE; ++ if (Status == EFI_SECURITY_VIOLATION) { ++ gBS->UnloadImage (KernelImageHandle); ++ } ++ ++ if (Status != EFI_NOT_FOUND) { ++ DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status)); ++ return Status; ++ } ++ ++ Status = gBS->LoadImage ( ++ FALSE, // BootPolicy: exact match required ++ gImageHandle, // ParentImageHandle ++ (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath, ++ NULL, // SourceBuffer ++ 0, // SourceSize ++ &KernelImageHandle ++ ); ++ } ++ + switch (Status) { + case EFI_SUCCESS: + break; +@@ -465,6 +509,13 @@ QemuLoadKernelImage ( + KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2; + } + ++ if (Shim) { ++ // ++ // Prefix 'kernel ' in UTF-16. ++ // ++ KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2; ++ } ++ + if (KernelLoadedImage->LoadOptionsSize == 0) { + KernelLoadedImage->LoadOptions = NULL; + } else { +@@ -485,7 +536,8 @@ QemuLoadKernelImage ( + UnicodeSPrintAsciiFormat ( + KernelLoadedImage->LoadOptions, + KernelLoadedImage->LoadOptionsSize, +- "%a%a", ++ "%a%a%a", ++ (Shim == FALSE) ? "" : "kernel ", + (CommandLineSize == 0) ? "" : CommandLine, + (InitrdSize == 0) ? "" : " initrd=initrd" + ); +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch new file mode 100644 index 0000000000..97d77883fd --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch @@ -0,0 +1,125 @@ +From 4b507b49664514d7f09e6b7a9ca2da25a5e440fd Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 11 Apr 2024 08:15:22 +0200 +Subject: [PATCH 08/10] OvmfPkg/GenericQemuLoadImageLib: support booting via + shim + +Try load shim first. In case that succeeded update the command line to +list 'kernel' first so shim will fetch the kernel from the kernel loader +file system. + +This allows to use direct kernel boot with distro kernels and secure +boot enabled. Usually distro kernels can only be verified by distro +shim using the distro keys compiled into the shim binary. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4b507b49664514d7f09e6b7a9ca2da25a5e440fd] +Signed-off-by: Hongxu Jia +--- + .../GenericQemuLoadImageLib.c | 56 ++++++++++++++++++- + 1 file changed, 54 insertions(+), 2 deletions(-) + +diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c +index b99fb350aa..9d0ba77755 100644 +--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c ++++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c +@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mKernelDevicePath = { + } + }; + ++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mShimDevicePath = { ++ { ++ { ++ MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP, ++ { sizeof (VENDOR_DEVICE_PATH) } ++ }, ++ QEMU_KERNEL_LOADER_FS_MEDIA_GUID ++ }, { ++ { ++ MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP, ++ { sizeof (KERNEL_FILE_DEVPATH) } ++ }, ++ L"shim", ++ }, { ++ END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE, ++ { sizeof (EFI_DEVICE_PATH_PROTOCOL) } ++ } ++}; ++ + STATIC CONST SINGLE_VENMEDIA_NODE_DEVPATH mQemuKernelLoaderFsDevicePath = { + { + { +@@ -174,6 +193,7 @@ QemuLoadKernelImage ( + UINTN CommandLineSize; + CHAR8 *CommandLine; + UINTN InitrdSize; ++ BOOLEAN Shim; + + // + // Load the image. This should call back into the QEMU EFI loader file system. +@@ -181,11 +201,35 @@ QemuLoadKernelImage ( + Status = gBS->LoadImage ( + FALSE, // BootPolicy: exact match required + gImageHandle, // ParentImageHandle +- (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath, ++ (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath, + NULL, // SourceBuffer + 0, // SourceSize + &KernelImageHandle + ); ++ if (Status == EFI_SUCCESS) { ++ Shim = TRUE; ++ DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__)); ++ } else { ++ Shim = FALSE; ++ if (Status == EFI_SECURITY_VIOLATION) { ++ gBS->UnloadImage (KernelImageHandle); ++ } ++ ++ if (Status != EFI_NOT_FOUND) { ++ DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status)); ++ return Status; ++ } ++ ++ Status = gBS->LoadImage ( ++ FALSE, // BootPolicy: exact match required ++ gImageHandle, // ParentImageHandle ++ (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath, ++ NULL, // SourceBuffer ++ 0, // SourceSize ++ &KernelImageHandle ++ ); ++ } ++ + switch (Status) { + case EFI_SUCCESS: + break; +@@ -303,6 +347,13 @@ QemuLoadKernelImage ( + KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2; + } + ++ if (Shim) { ++ // ++ // Prefix 'kernel ' in UTF-16. ++ // ++ KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2; ++ } ++ + if (KernelLoadedImage->LoadOptionsSize == 0) { + KernelLoadedImage->LoadOptions = NULL; + } else { +@@ -323,7 +374,8 @@ QemuLoadKernelImage ( + UnicodeSPrintAsciiFormat ( + KernelLoadedImage->LoadOptions, + KernelLoadedImage->LoadOptionsSize, +- "%a%a", ++ "%a%a%a", ++ (Shim == FALSE) ? "" : "kernel ", + (CommandLineSize == 0) ? "" : CommandLine, + (InitrdSize == 0) ? "" : " initrd=initrd" + ); +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch new file mode 100644 index 0000000000..8f0535cc4b --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch @@ -0,0 +1,108 @@ +From 1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 17 Dec 2024 09:59:21 +0100 +Subject: [PATCH 09/10] OvmfPkg/X86QemuLoadImageLib: make legacy loader + configurable. + +Add the 'opt/org.tianocore/EnableLegacyLoader' FwCfg option to +enable/disable the insecure legacy linux kernel loader. + +For now this is enabled by default. Probably the default will be +flipped to disabled at some point in the future. + +Also print a warning to the screen in case the linux kernel secure +boot verification has failed. + +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2025-2296 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c] +Signed-off-by: Hongxu Jia +--- + .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 48 ++++++++++++++++--- + .../X86QemuLoadImageLib.inf | 1 + + 2 files changed, 42 insertions(+), 7 deletions(-) + +diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +index e4dbc2dc7e..2d610f6bd3 100644 +--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c ++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c +@@ -19,8 +19,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + #include + #include + #include +@@ -421,13 +423,45 @@ QemuLoadKernelImage ( + // Fall through + // + case EFI_ACCESS_DENIED: +- // +- // We are running with UEFI secure boot enabled, and the image failed to +- // authenticate. For compatibility reasons, we fall back to the legacy +- // loader in this case. +- // +- // Fall through +- // ++ // ++ // We are running with UEFI secure boot enabled, and the image failed to ++ // authenticate. For compatibility reasons, we fall back to the legacy ++ // loader in this case (unless disabled via fw_cfg). ++ // ++ { ++ EFI_STATUS RetStatus; ++ BOOLEAN Enabled = TRUE; ++ ++ AsciiPrint ( ++ "OVMF: Secure boot image verification failed. Consider using the '-shim'\n" ++ "OVMF: command line switch for qemu (available in version 10.0 + newer).\n" ++ "\n" ++ ); ++ ++ RetStatus = QemuFwCfgParseBool ( ++ "opt/org.tianocore/EnableLegacyLoader", ++ &Enabled ++ ); ++ if (EFI_ERROR (RetStatus)) { ++ Enabled = TRUE; ++ } ++ ++ if (!Enabled) { ++ AsciiPrint ( ++ "OVMF: Fallback to insecure legacy linux kernel loader is disabled.\n" ++ "\n" ++ ); ++ return EFI_ACCESS_DENIED; ++ } else { ++ AsciiPrint ( ++ "OVMF: Using legacy linux kernel loader (insecure and deprecated).\n" ++ "\n" ++ ); ++ // ++ // Fall through ++ // ++ } ++ } + case EFI_UNSUPPORTED: + // + // The image is not natively supported or cross-type supported. Let's try +diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +index c7ec041cb7..09babd3be8 100644 +--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf ++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf +@@ -33,6 +33,7 @@ + LoadLinuxLib + PrintLib + QemuFwCfgLib ++ QemuFwCfgSimpleParserLib + ReportStatusCodeLib + UefiBootServicesTableLib + +-- +2.49.0 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index badde30d97..fd5ff25dc9 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -29,6 +29,16 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://0006-BaseTools-StringFuncs-fix-gcc-16-warning.patch \ file://0007-BaseTools-EfiRom-fix-compiler-warning.patch \ file://0008-BaseTools-Pccts-set-C-standard.patch \ + file://0001-AmdSev-Halt-on-failed-blob-allocation.patch \ + file://CVE-2025-2296-1.patch \ + file://CVE-2025-2296-2.patch \ + file://CVE-2025-2296-3.patch \ + file://CVE-2025-2296-4.patch \ + file://CVE-2025-2296-5.patch \ + file://CVE-2025-2296-6.patch \ + file://CVE-2025-2296-7.patch \ + file://CVE-2025-2296-8.patch \ + file://CVE-2025-2296-9.patch \ " PV = "edk2-stable202402" From patchwork Tue May 5 16:57:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FF39CD3439 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1057.1778000340608032563 for ; Tue, 05 May 2026 09:59:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=UuB5FLNZ; spf=pass (domain: smile.fr, ip: 209.85.128.41, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-48a3e9862f0so378145e9.1 for ; Tue, 05 May 2026 09:59:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000338; x=1778605138; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tHNiwqjKu7MW1EvUhnIuiIzhhtjRwHhvSCLaSkJ0GA0=; b=UuB5FLNZ/9zDBUJr1Yib9b6DFaFtFZBqakueq3BlFjl6eHlYPDlfZTgYiUaHjgEkNp zPZixu5aSTUUNPB5rkdEygIY28e7n/Amu7NP4xm/NTPZY6jsvwk95sTb/ACCNP8ZX2y/ NhaStymwyMn/dBbgOFh2qY3Z2/UsySzLH76pQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000338; x=1778605138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=tHNiwqjKu7MW1EvUhnIuiIzhhtjRwHhvSCLaSkJ0GA0=; b=PKnjx8+1kZZ+VyTZs41c6OTNHKJ6G6FwcGpNWRR1d97NTXVHKGDmIJ8T6+ldAxI7QZ JUkcHvxK7NHw0JujNrbtDZFEzpNDNu+Tq8uFJ/6Ab2Af9qbyNvQ3L3UN+EOswH20F7Ae 96BGR64Fd0U01ZH7vgyE/VT32u+VrA5LLm6HdqE6DHNRzLWkHZ8GxHEP30u6qK6sbmRI I8J4omqbMNNRNFBK+7+X4fHJqgD2/F2E5hHS2dcxE1qC95wwTr8W9HNmVVJrW80EPDBk PEVvvLzbUJQgBNtS0tK/N8PszMB51i7u9zszQAkMrDXi0rBDmxKLzOGDDV0AWB0qb22U cEGg== X-Gm-Message-State: AOJu0YyvRLncPD76fEMXRe8LGoY+MbLglGbc3faPc+zzZA9Wh8WMaUuE p33sH5AOGr2nSkMBigRurcCsRMDE+DCJAMDPNqUDAODHH/9HEVUtqf74qc7/k4lx8EFaATea4YH pSWM1UyM= X-Gm-Gg: AeBDies4nHluNsM0F0ied0KUlYPrlNDQC5xklahZiElnMGqza2O8c6l04hD0+KExuu6 f9A8Ng72Srch3ZEvineVwmML52Bxjb3Mn0uMgHs9kPyAUOtHdGEjeId77qdhnj6CuRS1j+cVqbE aarAZe63q7eCQuC+7KZltBlHNP6rYr8DoJq5jezA/0TSg6E67DsgmvPSwYk49z9sRnierI+fl5S VlonukGRixW6k/UISXAAiqTJxCR41d+UIqD4GfxAVpd0kNDKTPU1XjKrc7oM5ZZDwgVcWMOF7y8 m+xy16iMOe33CYj0wknVC0JdbIdA0/f/t9zmn3gmqd/WHQKMmy7PiLZ2LrGCh+F+Htgm76GaBN5 vD1hVl2fQz70zkTdjxqpd0+MSQFc/8DflTw55Rv6k/3ixx1KTpPxFNdJIiTBV/nhI5s8mP0nsFe r0VmNwoQNso0njbsO8Ilq/59Zu15bxxd4l/o9uq3kT9NNOZbNn+c3OUGncPO6Ib7WdLYdzyIfyV JYfRnTjYsAvwzhFZa/+rl7Gvg== X-Received: by 2002:a05:600c:8116:b0:488:aa33:dc8f with SMTP id 5b1f17b1804b1-48d141ceb81mr67683835e9.0.1778000338149; Tue, 05 May 2026 09:58:58 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:57 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/23] ovmf: fix CVE-2024-38798 Date: Tue, 5 May 2026 18:57:31 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236505 From: Hongxu Jia According to [1], EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality. Backport a patch [2] from upstream to fix CVE-2024-38798 [1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798 [2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249 Signed-off-by: Hongxu Jia Signed-off-by: Fabien Thomas --- .../ovmf/ovmf/CVE-2024-38798.patch | 116 ++++++++++++++++++ meta/recipes-core/ovmf/ovmf_git.bb | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch new file mode 100644 index 0000000000..2d0a73c7a6 --- /dev/null +++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch @@ -0,0 +1,116 @@ +From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001 +From: Hongxu Jia +Date: Mon, 5 Jan 2026 13:04:18 +0800 +Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading + +There is a possibility to retrieve user input keystroke data stored in the +queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent +exposure of the password string, clear the queue buffer by filling it +with zeros after reading. + +Signed-off-by: Nick Wang + +CVE: CVE-2024-38798 +Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249] +Signed-off-by: Hongxu Jia +--- + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c | 2 ++ + MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c | 1 + + MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 2 +- + .../Universal/Console/ConSplitterDxe/ConSplitter.c | 1 + + .../Universal/Console/TerminalDxe/TerminalConIn.c | 8 ++++++-- + 5 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c +index 981309f..32757a7 100644 +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c +@@ -650,6 +650,8 @@ PopScancodeBufHead ( + if (Buf != NULL) { + Buf[Index] = Queue->Buffer[Queue->Head]; + } ++ ++ Queue->Buffer[Queue->Head] = 0; + } + + return EFI_SUCCESS; +diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c +index 81d3c6e..e03c88f 100644 +--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c ++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c +@@ -51,6 +51,7 @@ PopEfikeyBufHead ( + CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA)); + } + ++ ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA)); + Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT; + return EFI_SUCCESS; + } +diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +index b5a6459..7df1566 100644 +--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c ++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c +@@ -1840,7 +1840,7 @@ Dequeue ( + } + + CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize); +- ++ ZeroMem (Queue->Buffer[Queue->Head], ItemSize); + // + // Adjust the head pointer of the FIFO keyboard buffer. + // +diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c +index 0a776f3..5c1a35e 100644 +--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c ++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c +@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey ( + &Private->KeyQueue[1], + Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA) + ); ++ ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA)); + return EFI_SUCCESS; + } + +diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c +index f1d0a34..8aafb4b 100644 +--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c ++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c +@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey ( + return FALSE; + } + +- *Output = TerminalDevice->RawFiFo->Data[Head]; ++ *Output = TerminalDevice->RawFiFo->Data[Head]; ++ TerminalDevice->RawFiFo->Data[Head] = 0; + + TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1)); + +@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey ( + } + + CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); ++ ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); + + EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + +@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey ( + } + + CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); ++ ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY)); + + TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + +@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey ( + Head = TerminalDevice->UnicodeFiFo->Head; + ASSERT (Head < FIFO_MAX_NUMBER + 1); + +- *Output = TerminalDevice->UnicodeFiFo->Data[Head]; ++ *Output = TerminalDevice->UnicodeFiFo->Data[Head]; ++ TerminalDevice->UnicodeFiFo->Data[Head] = 0; + + TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1)); + } +-- +2.34.1 + diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index fd5ff25dc9..4e6227f484 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb @@ -39,6 +39,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \ file://CVE-2025-2296-7.patch \ file://CVE-2025-2296-8.patch \ file://CVE-2025-2296-9.patch \ + file://CVE-2024-38798.patch \ " PV = "edk2-stable202402" From patchwork Tue May 5 16:57:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E465FF8855 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1088.1778000341879623977 for ; Tue, 05 May 2026 09:59:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=kqaP28aj; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-48a3e9862f0so378285e9.1 for ; Tue, 05 May 2026 09:59:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000340; x=1778605140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zJ2w8SqjelMZrxU42juGoyKkkUObsl54txDndZ3jHYk=; b=kqaP28ajM6O8WaVIfTlQDLU1yOVXPd/aR03dCnmYX9ojDXMMz5KmyDccbq6+SxsWVN 1ga2cPJs7M3Hi8gn1ZxSUgPd8PPgS0B3yUtqYHvY/JMHJfE8Z53srzvLPMGDymC9wdDe CKCLSx+BpoSxEe1nhaLYRWllmpY0BNGL14Lt4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000340; x=1778605140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=zJ2w8SqjelMZrxU42juGoyKkkUObsl54txDndZ3jHYk=; b=OzJo7KGtvoff2TC+UZUOJDTtUEX0MiJgKgkkjr4RmlvhR+povAnu3geAApg+9v74o4 CTinkc7+l4RJDZATcZPm9hU6qo3PxnTMEYQjhHffVF+ID6XvVZ9//ykwleHjHn3gN/xX U6yAO+fWPSeSs9NvRVRSTaQ9SOG5wYnk4ql+BbU/7J6enkgA34xcyzvIWAPfkK2YDXQM 3ziaeAIPTzCbUNI5s9dzohFHnN/pDK7zSCdPdsJRIcBm8ffrFuvuswveBXkeRhVi5iGe t2Wf7CtFAbyM/qfaVuhKkOsLsz9uoswlWKq2N7IOFLwEO1Z8aRz+Qwkh3r2PD5qaotZ1 D3Qw== X-Gm-Message-State: AOJu0YyxTd5uB994uPaDHIS0oRhpNQWmpIEDBl3J4vtz3bsEHszmhakg jPz1g48iAXDJYu5LkvRRMjiaJBqjEUpSrUg6jLYUlX+u1jKYmm1XUhXvVk9oNerxBCKYvJH8HFx 5HZZLTKA= X-Gm-Gg: AeBDietvznXgNSrvjOVZ1NJURgdiKx08/spG0IfSNFVR5jawUbZY3wBYR5rnLs+KEWw z7cd6vABgISjQKWCRrJLgR1NIk+OXSlB7spGmIR1BlJoHF9gkQB6pNvzzWrIwXhfoyhGQHYBUjU qce3XP/Tcyn+leEa3AwNFnxstZOuRvzezIA3C008Oi6jhp8H6WIycgrZrfXe2MuexU6MrkZoqc8 S6ecg7lU5H+3VnbOGGp35IIdNXerTR+0pr69Lp8MBS9khFsCiVH9sa88m3dhsxVeF5UPiXybQSU MECjhOtj+c810MvzV96UBijAFGPF5/YuDlI+PD04NiLv5l51DrZqRwcyTWDzNQ6JTttclGBxJuX QVcxciZ1jIJJZ/oL/p7tu6JzLzqVM0DdTOJvX7FrLO0HgT86NdH/o/niv6/H5a8C/QDRH5aIGqJ yp/F3iFY4xsNt80vyQGEqZnOdgscBj0p5ugjHLQRaFEz1GHPyW5s80PvttW5gdVbUMhWzBWjWks +a7KvpMteDiix9QLt5kdNlD7acrYGOE9Zxf X-Received: by 2002:a05:600c:a10f:b0:48a:534a:eed8 with SMTP id 5b1f17b1804b1-48d1422bb48mr53237035e9.1.1778000339962; Tue, 05 May 2026 09:58:59 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.58.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:58:58 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 15/23] apt: Add CVE_PRODUCT to support product name Date: Tue, 5 May 2026 18:57:32 +0200 Message-ID: <28d3ab81b9386bda16e196ed2934967843413186.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236506 From: Himanshu Jadon - Keep both the older deprecated debian:apt alias and the active debian:advanced_package_tool identity in CVE_PRODUCT. - This preserves completeness and avoids missing CVEs in case older aliases are still used in NVD records. Signed-off-by: Himanshu Jadon Signed-off-by: Richard Purdie (cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88) Signed-off-by: Himanshu Jadon [FT: Rebase onto scarthgap-next] Signed-off-by: Fabien Thomas --- meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb b/meta/recipes-devtools/apt/apt_2.6.1.bb index 436e2e8cad..12915660b0 100644 --- a/meta/recipes-devtools/apt/apt_2.6.1.bb +++ b/meta/recipes-devtools/apt/apt_2.6.1.bb @@ -141,3 +141,6 @@ do_install:append() { # Avoid non-reproducible -src package sed -i -e "s,${B}/include/,,g" ${B}/apt-pkg/tagfile-keys.cc } + +# Add CVE_PRODUCT to match the NVD CPE product name +CVE_PRODUCT = "debian:apt debian:advanced_package_tool" From patchwork Tue May 5 16:57:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F146CCD3445 for ; Tue, 5 May 2026 16:59:03 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1089.1778000343048352921 for ; Tue, 05 May 2026 09:59:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=dHqN6/TO; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4890d945eb4so586045e9.0 for ; Tue, 05 May 2026 09:59:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000341; x=1778605141; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=u4aGmhFFmVhLT9sPC+X5gctrwuuYTDfEf9PVxMmFJ5I=; b=dHqN6/TOGk61bN4uqzuiEW70BKTFk8Lpogq3iB2vfTIZMLOv1n5VjvQgAZamo3Po5r rzf5Aat6CbsoJgjl30vsROD3Kqrya/ibQ94cOzqKqZgg6kT9U1QyjYGAU/rBYilWliPJ /Hy+Q3CV7oQ6V8MzVlndJj5aBW1iYe1Vvltok= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000341; x=1778605141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=u4aGmhFFmVhLT9sPC+X5gctrwuuYTDfEf9PVxMmFJ5I=; b=SmlW2m2CjMfozV3sbdODgFE0jurcfTVw1jqvFcI5FgypndTLkVoT7DLQIufjeGcvNI oVFnjbUu5u4rkLwrR/Zlv9FND+pxbyC/riP6Esy8zmgItvJZI/tv4VenIuvuBYIzqpqy 0X9VAc5q5UKrv67v18HHG6n8ayI+Oa19x05bBiKdUcLhpA5ruVr0dHk7AYQxbGvv2Bkk qSFJf+8s/hKdXIegqWE0ic1XdTqKXdy0FAYE8WOu25E2YYy6Y7Emd0LQ46rku+I6iO3U syVKfzZSwRjJYR0BvLvrgXRa5Es/eXFYBQVcdRwSE4gcHf7+tw0yf1yFKKDamY3304HR jVeQ== X-Gm-Message-State: AOJu0Yz3LsTx5gt6cowUrq0sUoHVJZPcWJgEmxBbiWsEKKPXZlo4gFDe 8GH4lsidAyt3TKRQAIAcGhFAM9BgbDvbFjB4C2x2kIkVXzXTxC+wBGP/RekXUyS/2/HQPdsaADD cUi0gm6o= X-Gm-Gg: AeBDievsYTPEdi+NyC/RXN5bqxqu+BILv+FLOseMtCcKe8RxyKXUCVEjMAHmQyzVRAQ Wmba0uuLwoSt9LGGbSz9qBSUNDi3ANcXBhl88K+J0HFg6Gvdo9S1kJkUrrdQQFKcd9KWVcJBnaQ YcFrrUrZnpeumGUG+kJmjKyqFfvtFJ4KkXD60EUAj9BYB4Vc1MQdqaUTvFCxeKm+acQz33z+zfP EzJpoLjlZscXiF6jIXjSK+rzGVtDVaCjCLcyftJAfizyN3MwS/oa5gxbF5EZ3wF1Dr8UzcvYAYu Hq488sNZdW7117SEtwzhMv4tA8cSHbksFFkYz/hMwZjjyDtMw3/FiGfUJb4Wf0nm69TJroBIgiR IOtPhhywe7W2vA8ksKjMUg817n08F49L/RsUHyJMYP7lHP+pqy78z4480TlhXYGmEUZjSi38QYS 5ZnzWkkrNmGA4ZxhsR9GE7jOMTHd3/Vv3i5nN//XzB3PqQn9IXdHuV6gilZw0zTdclIJ+nMY+Hf 5ECmbl1DAMBq5O7L5iEL9BDUcVKUBZwrSqe X-Received: by 2002:a05:600c:4e16:b0:486:f893:56c6 with SMTP id 5b1f17b1804b1-48d1425b450mr73514655e9.10.1778000341055; Tue, 05 May 2026 09:59:01 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:00 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 16/23] avahi: Fix CVE-2026-34933 Date: Tue, 5 May 2026 18:57:33 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236507 From: Vijay Anusuri Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-34933 [2] https://github.com/avahi/avahi/pull/891 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-34933 Signed-off-by: Vijay Anusuri Signed-off-by: Fabien Thomas --- meta/recipes-connectivity/avahi/avahi_0.8.bb | 2 + .../avahi/files/CVE-2026-34933-1.patch | 108 ++++++++++++++++++ .../avahi/files/CVE-2026-34933-2.patch | 96 ++++++++++++++++ 3 files changed, 206 insertions(+) create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index fce2d7cd56..31febc360d 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -41,6 +41,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://CVE-2025-68468.patch \ file://CVE-2025-68471.patch \ file://CVE-2026-24401.patch \ + file://CVE-2026-34933-1.patch \ + file://CVE-2026-34933-2.patch \ " GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch new file mode 100644 index 0000000000..208345a325 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch @@ -0,0 +1,108 @@ +From 0be89b6bb5c3983837b5e0febcbbbf452ecf7675 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Wed, 1 Apr 2026 05:31:58 +0000 +Subject: [PATCH] core: refuse to accept publish flags where both wide_area and + multicast are set + +It fixes a bug where it was possible for unprivileged local users to +crash avahi-daemon via D-Bus by calling EntryGroup methods accepting +flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and +AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was +invoked like that avahi-daemon crashed with +``` +dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord +avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed. +==84944== +==84944== Process terminating with default action of signal 6 (SIGABRT) +==84944== at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44) +==84944== by 0x4ADE941: raise (raise.c:26) +==84944== by 0x4AC64AB: abort (abort.c:77) +==84944== by 0x4AC641F: __assert_fail_base.cold (assert.c:118) +==84944== by 0x48A9404: transport_flags_from_domain (entry.c:57) +==84944== by 0x48A9F8F: server_add_internal (entry.c:224) +==84944== by 0x48AA49F: avahi_server_add (entry.c:324) +==84944== by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348) +==84944== by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3) +==84944== by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3) +==84944== by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105) +==84944== by 0x488E3AE: timeout_callback (simple-watch.c:447) +==84944== +``` +It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where +those flags were introduced and consistent with the other places +where wide_area/multicast flags are used. + +It was discovered by +Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense + +https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc + +CVE-2026-34933 + +Upstream-Status: Backport [https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675] +CVE: CVE-2026-34933 +Signed-off-by: Vijay Anusuri +--- + avahi-core/entry.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/avahi-core/entry.c b/avahi-core/entry.c +index 0d862133d..06eb12076 100644 +--- a/avahi-core/entry.c ++++ b/avahi-core/entry.c +@@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal( + AVAHI_PUBLISH_UPDATE| + AVAHI_PUBLISH_USE_WIDE_AREA| + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN); +@@ -454,6 +455,7 @@ int avahi_server_add_address( + AVAHI_PUBLISH_UPDATE| + AVAHI_PUBLISH_USE_WIDE_AREA| + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME); + + /* Prepare the host naem */ +@@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy( + AVAHI_PUBLISH_UPDATE| + AVAHI_PUBLISH_USE_WIDE_AREA| + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); +@@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy( + AVAHI_PUBLISH_NO_COOKIE| + AVAHI_PUBLISH_USE_WIDE_AREA| + AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); +@@ -843,6 +847,7 @@ int avahi_server_add_service_subtype( + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE); + AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); +@@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name( + assert(name); + + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT); + AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address( + AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE); + AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL); + AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS); ++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS); + AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT); + AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch new file mode 100644 index 0000000000..479d0d7e93 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch @@ -0,0 +1,96 @@ +From a93fdd980d2db5d453475c0aa2b39946bd6611bd Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Wed, 1 Apr 2026 05:30:58 +0000 +Subject: [PATCH] tests: make sure AVAHI_PUBLISH_USE_WIDE_AREA is refused + +Upstream-Status: Backport [https://github.com/avahi/avahi/commit/a93fdd980d2db5d453475c0aa2b39946bd6611bd] +CVE: CVE-2026-34933 +Signed-off-by: Vijay Anusuri +--- + avahi-client/client-test.c | 25 +++++++++++++++++++++++++ + avahi-core/avahi-test.c | 12 +++++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index 9a015d7..c80e12f 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -212,6 +212,28 @@ static void terminate(AVAHI_GCC_UNUSED AvahiTimeout *timeout, AVAHI_GCC_UNUSED v + avahi_simple_poll_quit(simple_poll); + } + ++static void test_refuse_publish_flags(AvahiEntryGroup *g, AvahiPublishFlags flags, int expected) { ++ AvahiAddress a; ++ AvahiStringList *l = NULL; ++ int r; ++ ++ r = avahi_entry_group_add_record(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", AVAHI_DNS_CLASS_IN, AVAHI_DNS_TYPE_CNAME, 120, "\0", 1); ++ assert(r == expected); ++ ++ avahi_address_parse("224.0.0.251", AVAHI_PROTO_UNSPEC, &a); ++ r = avahi_entry_group_add_address(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", &a); ++ assert(r == expected); ++ ++ r = avahi_entry_group_add_service_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, NULL, 80, l); ++ assert(r == expected); ++ ++ r = avahi_entry_group_update_service_txt_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, l); ++ assert(r == expected); ++ ++ r = avahi_entry_group_add_service_subtype(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, "_magic._sub._http._tcp"); ++ assert(r == expected); ++} ++ + int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + AvahiClient *avahi; + AvahiEntryGroup *group, *group2; +@@ -275,6 +297,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); + assert(error != AVAHI_OK); + ++ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA, AVAHI_ERR_NOT_SUPPORTED); ++ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, AVAHI_ERR_INVALID_FLAGS); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +diff --git a/avahi-core/avahi-test.c b/avahi-core/avahi-test.c +index 2a7872b..2bae82b 100644 +--- a/avahi-core/avahi-test.c ++++ b/avahi-core/avahi-test.c +@@ -30,6 +30,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -150,6 +151,7 @@ static void remove_entries(void) { + static void create_entries(int new_name) { + AvahiAddress a; + AvahiRecord *r; ++ int error; + + remove_entries(); + +@@ -181,7 +183,15 @@ static void create_entries(int new_name) { + goto fail; + } + +- if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a), 53) < 0) { ++ avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a); ++ ++ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53); ++ assert(error == AVAHI_ERR_NOT_SUPPORTED); ++ ++ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53); ++ assert(error == AVAHI_ERR_INVALID_FLAGS); ++ ++ if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53) < 0) { + avahi_log_error("Failed to add new DNS Server address"); + goto fail; + } +-- +2.43.0 + From patchwork Tue May 5 16:57:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E847FFF8855 for ; Tue, 5 May 2026 16:59:13 +0000 (UTC) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1058.1778000344161622445 for ; Tue, 05 May 2026 09:59:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=FYus7/Lx; spf=pass (domain: smile.fr, ip: 209.85.128.45, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4838c15e3cbso44824565e9.3 for ; Tue, 05 May 2026 09:59:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000342; x=1778605142; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=L52WJ5fGiuO+miUg2QqozZ2oBUlIXB/4QOBR8StjFzE=; b=FYus7/LxqC+nns8HC22LimN13ockXwgzImYARE4SV/zPrLZ3JwtkHBrRD4zzC9o+L3 e2cxiUHFleCxuPlHpgM7aBjC0Hvntlx7VngXKsQhx0vsPYdS+/EDunO+AmbZyXl8jwRL w7QLil5wa94OHFMb3Ay54V0oSXw2NOSbo6ICg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000342; x=1778605142; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=L52WJ5fGiuO+miUg2QqozZ2oBUlIXB/4QOBR8StjFzE=; b=S+F05yHJLfMQ9UY3JvTSS3zQcI/MDHeObQezMCho2ShtcC1hb284YWZ/L2utEfV1UI RfeSSuSI2zxSprS5a87itnCDCK8VCSJ8Edlyp+tC6GfapPTllnJLRiEx5JezXsEXF0zO GMJTUnFv92vmvi9BoTjxMPnJ6ioYs+Bx9AU7cHgWtZv+YBbQgGiVtvrw54eavt2yJvWb iID9p08InPceHb9v7OCs5CJPxe4pg3tuX+eEmAGYPGxN75i2uwbAQEn33O/QO7NYf97Z QUMacG9buPVsi/W4mu6xUHtK7BBMbI6zncvc/KeFNveXJJLVoXGBvnn4bkozOckLShAL fvDg== X-Gm-Message-State: AOJu0YzO2I+8IJJVSfJhc+rCGXyVPrHm3uisBV1od6OXQAULtWhDB4LH DF0NtL2p56FNBr8SuvPBwx3HKki7+FVLvmVaETuIzFnrTsuqv3NXsKArrsSxmIiNUtRJaIpG2lD RcoY3//U= X-Gm-Gg: AeBDievjZjQBOTVVF7q/ZPYM3qibTzr6mbrGRB8Ml4rDjmgCn+hJ0ZflLYyrUy6j4OQ colkalBA6gOMmKUNzXCgEsYs2xA+mKmf24WXbybUcRYB0kQtuc6K7Y1pDYZEfwE2szQ8Bg0hMtd InmBRVDqd0VAbyWjMcnK7bHegTgOcAC+BMEQzBykna5e0U3FgsAqI7/1vc6ThSchIeEFtBsnJRu lr3TpiT1Wpxe5V5m8BrtOXXWbIO7O9pC9sgkxT6f0wK+8pjl+bDi6stRy44QxxrNgSnnSlkXIpD OzD/wKQE+AOw8LAd76jKbeO0C5Ew7PRBUqW37wzhKREAlLFBDDBUAiOG0B1jnEA7afkQaLW07lz QetlOguy6b5mzVEr6KdpEdcC+3BA7ob1wHD4OoDNKUMPJTV/q5bTUwhkIHnG5bX6Eeus/x+4GtQ StQMQ5I0z8y7zVAdfx87sRV52AxyVowO8etIOFEnQEdtMd17p7M3tggslMlQOYoz3fLgkvDb8zP tKqUOq7JvRJzIqtC1HJbGRgPw== X-Received: by 2002:a05:600c:4255:b0:489:1ff1:74df with SMTP id 5b1f17b1804b1-48e51e0c818mr843525e9.1.1778000342169; Tue, 05 May 2026 09:59:02 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:01 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 17/23] gdk-pixbuf: Fix CVE-2026-5201 Date: Tue, 5 May 2026 18:57:34 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236508 From: Vijay Anusuri Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-5201 [2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304 Signed-off-by: Vijay Anusuri Signed-off-by: Fabien Thomas --- .../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++ .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch new file mode 100644 index 0000000000..97e0dddb62 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch @@ -0,0 +1,44 @@ +From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Mon, 30 Mar 2026 12:21:56 -0400 +Subject: [PATCH] jpeg: Reject unsupported number of components + +This condition was already checked for incremental loading. +This commit adds the same check in the nonincremental +code path. + +Closes: #304 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b] +CVE: CVE-2026-5201 +Signed-off-by: Vijay Anusuri +--- + gdk-pixbuf/io-jpeg.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index 9ee1d21..d419812 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct jpeg_decompress_struct *cinfo, + cinfo->do_fancy_upsampling = FALSE; + cinfo->do_block_smoothing = FALSE; + ++ /* Reject unsupported component counts */ ++ if (cinfo->output_components != 3 && cinfo->output_components != 4 && ++ !(cinfo->output_components == 1 && ++ cinfo->out_color_space == JCS_GRAYSCALE)) { ++ g_set_error (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Unsupported number of color components (%d)"), ++ cinfo->output_components); ++ goto out; ++ } ++ + pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, + cinfo->out_color_components == 4 ? TRUE : FALSE, + 8, +-- +2.43.0 + diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb index 7c58fe1e1d..2f0de425b5 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb @@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ file://CVE-2025-7345.patch \ file://CVE-2025-6199.patch \ + file://CVE-2026-5201.patch \ " SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7" From patchwork Tue May 5 16:57:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87540 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5FBBCCD3444 for ; Tue, 5 May 2026 16:59:14 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1060.1778000345341717226 for ; Tue, 05 May 2026 09:59:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=FANY5y6f; spf=pass (domain: smile.fr, ip: 209.85.128.44, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-488a9033b2cso48867045e9.2 for ; Tue, 05 May 2026 09:59:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000343; x=1778605143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VCOj0WtVixgjiYF5bDtxjgcWkZvl/aGLb2gTh7ph3Tg=; b=FANY5y6fZ0nxwHnWpC3B9o1YQWBAIch0s1Z9al7zbcjMCdyMqe4Yq/i+1OrltUxk/B ZLbaDy8Xi+/0xJbG2ZoKQwmvgfucW8Nqe2mplQ5+nuoWSkjhCLvUYalqAxl6zofGu+SA G6uoeCd53UJEN+NsFuSWbV+xZeb8A37QoCia8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000343; x=1778605143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=VCOj0WtVixgjiYF5bDtxjgcWkZvl/aGLb2gTh7ph3Tg=; b=D+BsAHJeDC4S9k3SkgtNeGikxl32rs8v5e+xw1LD8xgydnqvcDEqd5dEqPPJVG4C8y xU1hYZ4AI1dAq2Gk0Zwo1zngYSincbISvMvXPIqxlCpxLaeylKbicNu5y8RsQic3mP79 yElBi+Zd9EOmNlmDkMa3a0D+EaktgLNN1ukW8qnBcXIMRvVqiBMS/kVI+MGspGzLElR2 9XpqA4mGTGKYZqOWvM2egI5NdkKb9tqBk1njrFop4kebIJVDskWyyf1ithmNNM7TPUw8 +q0e9iVB9tuSW9QwgyZOb7i6JV2lkM6HT9znduvooI0qEKjoqz22VPkParmQDl1COpm4 dAdw== X-Gm-Message-State: AOJu0YyEc9a/+Qro6EKY4HvRVXSr9GeA81D7ioukdjNEWTv/NDzSsLJ9 5NBUFCWDYgxNBse/AfFCCps9cI6cfNPxe3nVWvbW8Z8Q8NzfN9C0JSCRXzpBvENqymEb4K0122A p/60OWGs= X-Gm-Gg: AeBDiesFCoL7YWztLQvEEN7mNx4he8Xb3ig+eEg+nRK2u4wDoeo1v5w7Ezv9rCKb63M dwzGjUokqKiBB6bI6qNLP7XjCkK2f+cmwwtJ7R2EaWdhXHARxOF8n3tuX9xjucmoPvdQ9bCnCmI Rnyc83cTMBgyq41+4z2DTNyaHHvvJDynwAs40Oa2hmQUhd6QLoWp9eWErWdrZw2vBYUx/XTicvN 4OxD970ec0oS/hDawJSaFzPjXqBG9Td12rfAi7WEZCZWDS7L6MxRlGMG5XUcWy8F9HgbbEP+jmC gxzEIyJNoB352Q8QOugwOijrMu6pWCE0CpB/ddfuZNI49s41bZOXWkQnxKWT5Xeg43QWRO616Xk y4NOwKhT4MF/oT4IinWmRSx8F6aewouJF7J4h4Q0fUj+M70kZg972YqwNO6pjj36o8f3/JIBOVV ncz8B6+s0ziCrhH3/GOUId1c2SGzID7zZjvr2IqfdP79OR9sdqFQVZfHbUFpuY1TxT2owBC/sZu baA1aMebDxA/SFk+6FWrj4nQg== X-Received: by 2002:a05:600c:5020:b0:488:b99b:4177 with SMTP id 5b1f17b1804b1-48e51f48345mr1012855e9.25.1778000343349; Tue, 05 May 2026 09:59:03 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:02 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 18/23] ghostscript: Pin to C17 std Date: Tue, 5 May 2026 18:57:35 +0200 Message-ID: <0647201fb4729be3b10b3da2b19645c59147b40a.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236509 The code defines a custom 'bool' type (as an 'int'), which is incompatible with C23 in which bool is a keyword, and trying to use fails because 'int' and 'bool' are used interchangeably in the code. Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers and clang++ is less forgiving when C compiler only option is used on its cmdline so it complains about -std=gnu17 and bails out. Signed-off-by: Khem Raj Signed-off-by: Richard Purdie (From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030) Signed-off-by: Mikko Rapeli Signed-off-by: Fabien Thomas --- meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb index a48ad671c7..57a1098521 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb @@ -50,6 +50,8 @@ EXTRA_OECONF:append:mipsarcho32 = " --with-large_color_index=0" EXTRA_OECONF:append:armv7a = "${@bb.utils.contains('TUNE_FEATURES','neon','',' --disable-neon',d)}" EXTRA_OECONF:append:armv7ve = "${@bb.utils.contains('TUNE_FEATURES','neon','',' --disable-neon',d)}" +CC += "-std=gnu17" + # Uses autoconf but not automake, can't do out-of-tree inherit autotools-brokensep pkgconfig From patchwork Tue May 5 16:57:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40C13CD3442 for ; Tue, 5 May 2026 16:59:14 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1062.1778000346853456325 for ; Tue, 05 May 2026 09:59:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=qZ5cmdWB; spf=pass (domain: smile.fr, ip: 209.85.128.51, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488a8ca4aadso58041105e9.3 for ; Tue, 05 May 2026 09:59:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000345; x=1778605145; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rbyLKaUeMrL3Py2w9pL8JjeIEMbNpaie90EhJL2rDgs=; b=qZ5cmdWBTx1woj3p9lJH4KGYscqpi2d1n/y16dKzJBEKm0S1klMtZhCHMQQcKkfN89 7ssVJTB0Es7zCDzKtff8AMLP62mhy59tG5AxYVlL0CivkXFaYlINbydMMfU5jO35c5RL s8aN2RU6OpUIXZtMxYMLXYfd3p3ILh6WUmHN8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000345; x=1778605145; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rbyLKaUeMrL3Py2w9pL8JjeIEMbNpaie90EhJL2rDgs=; b=n5PhCnBvoJuUrT7TskUc55j9k9rfhfzX9DPrYxtCNzgz7Y/vHNTK0gPLlepx2NXLbN Wacw6aNnRY31dhVZIQCi6PEeUCzo+kzmlLoN5I1nJoIkJHENWW2AZoaTYT9CJ3EinFoS bhYVW0nKwm8Vc+V58RcY6wAn5liVE5HaBds7+jlhL5OS2pV+GW/axrqcDIKMEsyBeHVg TlX+zmsSMgeyqb1SrjanpVlaR6+3vb9cgIe2BKR2sFuX2Y+c3J++M+hH+gs1ighoyNKy jSQfrMjlI4AJaSbepYqzC5xfp/4FhTAHK+13LVrihEuna6ZzNg5EInAzxMU1egtZT3hN ejuQ== X-Gm-Message-State: AOJu0YwHCN0Bf7qrShVErZJzvVvG6AmPwyhd+OE/2RTlitHs6bkH9lc9 1Xe43lMJ2JBJ3liT4T907miUOxenkQJwWTFpOfFwjLOZ/jUJqCiV56+D3uqJUW79dWZu3axZj6i afChqNbQ= X-Gm-Gg: AeBDievxmZzygQxcJYADhX3B5se6HnND87EX1YVZDSoFaTivxLoOrfOS4VuNqKoZgqg ZLBqtdslemVIymvtB6PFwMAC5INdw8UBk2qHNdAlyS8kaHldQks2QzQGqbG6J0EAf2XlA/tW+MN J5EwYGvNlJ+OsGk4RDdpaWURwio3nPitbJf1qFIJR/ap8ZWwxymRYXDF/Y1UYXpl0Q+T35DAdy9 1KYvW2mCwLQJaFeGNmsa1L8LWd4M7QKb7gbK8vWVAHbhYbDW6gC4MJjrPgk1dISTl70Y9nkxwXZ fNdg90rDgenHm0uKpDIQDY/dhjKCUWG3odXbCLvkktV2g2ryYLU93uKaslZK+b5zGzeX++qM419 iuO6FoMhrDDht2JctBLRC+QuLveVe1HIsjVDX6FM1Q2PWbDebChK7WNQAV3i8xA95ZKX7EuerHM 11Pu5PA6DSCi2l7CFuUcEwiMUCuCmZ7UrrOb+WUpB+UsPP4gOC0lSLeZeiVkhlv7+tPet3NlU4k r6QXbSIiwGmNs82VuiWFjx78Q== X-Received: by 2002:a05:600c:c494:b0:485:46fd:7887 with SMTP id 5b1f17b1804b1-48e51f32c35mr747955e9.13.1778000344945; Tue, 05 May 2026 09:59:04 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:03 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 19/23] ghostscript: fix build with gcc-15 on host Date: Tue, 5 May 2026 18:57:36 +0200 Message-ID: <0769c461e545073772aecc34e81fa309ade68dcb.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236510 From: Martin Jansa Signed-off-by: Martin Jansa Signed-off-by: Richard Purdie (From OE-Core rev: 02e282f6417274a93c6f01978bf33e2d171297b0) Signed-off-by: Mikko Rapeli Signed-off-by: Fabien Thomas --- ...Fix-compatibility-with-C23-compilers.patch | 67 +++++++++++++++++++ .../ghostscript/ghostscript_10.05.1.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch new file mode 100644 index 0000000000..78f3fc1c34 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch @@ -0,0 +1,67 @@ +From c595086bfe206776676e290df98cd09e91210e27 Mon Sep 17 00:00:00 2001 +From: Alex Cherepanov +Date: Thu, 3 Apr 2025 17:19:41 +0100 +Subject: [PATCH] Bug 708160: Fix compatibility with C23 compilers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* fixes: + http://errors.yoctoproject.org/Errors/Details/853021/ + +In file included from ./base/genconf.c:18: +./base/stdpre.h:348:13: error: ‘bool’ cannot be defined via ‘typedef’ + 348 | typedef int bool; + | ^~~~ +./base/stdpre.h:348:13: note: ‘bool’ is a keyword with ‘-std=c23’ onwards +./base/stdpre.h:348:1: warning: useless type name in empty declaration + 348 | typedef int bool; + | ^~~~~~~ + +Upstream-Status: Backport [Partial backport of https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/base/stdpre.h?id=ae940946473ceb8c5353bc6e7f04673c6e60502d] + +Signed-off-by: Martin Jansa +--- + base/stdpre.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/base/stdpre.h b/base/stdpre.h +index dda30b6..2f9c84e 100644 +--- a/base/stdpre.h ++++ b/base/stdpre.h +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2025 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -341,7 +341,9 @@ typedef signed char schar; + * and the MetroWerks C++ compiler insists that bool be equivalent to + * unsigned char. + */ +-#ifndef __cplusplus ++ ++/* C23 has bool as a builtin type. */ ++#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 202311L) + #ifdef __BEOS__ + typedef unsigned char bool; + #else +diff --git a/base/gp.h b/base/gp.h +index ad5bb61..cf2c9cf 100644 +--- a/base/gp.h ++++ b/base/gp.h +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2025 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -646,7 +646,7 @@ int gp_fseek_impl(FILE *strm, gs_offset_t offset, int origin); + /* Create a second open gp_file on the basis of a given one */ + FILE *gp_fdup_impl(FILE *f, const char *mode); + +-int gp_fseekable_impl(FILE *f); ++bool gp_fseekable_impl(FILE *f); + + /* Force given file into binary mode (no eol translations, etc) */ + /* if 2nd param true, text mode if 2nd param false */ diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb index 57a1098521..f7e1de734d 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb @@ -28,6 +28,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo file://CVE-2025-59798.patch \ file://CVE-2025-59799.patch \ file://CVE-2025-59800.patch \ + file://0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch \ " SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49" From patchwork Tue May 5 16:57:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87538 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AEFCCD3441 for ; Tue, 5 May 2026 16:59:14 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1093.1778000348149809142 for ; Tue, 05 May 2026 09:59:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=uEo+Y/Ua; spf=pass (domain: smile.fr, ip: 209.85.128.42, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4891f625344so694675e9.0 for ; Tue, 05 May 2026 09:59:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000346; x=1778605146; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KtsX5rWLOn1lmdMNV1SC4yYmXWdMuwKNYyzR9JxlT/U=; b=uEo+Y/Ua9EKT9uqDXwqY0hBvn/wdDz9+OyQy2EFm60czIsHH2TGOte4EYA7E0oZWb4 yq233x60CT6itJLqjoJ10ZuztsaWnDxF0YBYMI1+Knmn9ICJJ5vIigXfdfxVabBVGmjs i60J8RfGDvegfnwK7Ttlc646FzNldSXLuQe9g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000346; x=1778605146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KtsX5rWLOn1lmdMNV1SC4yYmXWdMuwKNYyzR9JxlT/U=; b=XPR4WoQTFM3lytd8JHCaU4PYRkvCSViakBKUlG1/FB/5sH2CNHmyYUvjSTJdLueMP1 ohD9qLHjDAjfHcp1SOifdMtemfbU6UZ61qQh6Wxb/hd0ZkreEmHOSIiGXjFwhDqVFNOh eWGrfZXn1lK0OmjeTobXgjJILx07J+IrwJWMWgQQY3sLcg/ipzR4Q2nYkldyE9D2LzIG /E4Mstfmk7vIUle/ZthKHKdszxjaV5AnRHqadUbIPsDudcdGOSFjq6/MOxNiQ9mswSCK VbNhYw8T00zdTyA8//G46nLe/3SdGDoeAzEunfrmuGqmwp1JyMJMRThMcMKK6Fsl0ELx M3wg== X-Gm-Message-State: AOJu0YyhVAZd9Gdc3mCglvWd/JoACxE5lbyhk6dfWvhI0AdoApskk2t4 Nk6ibUn6gVBHcZ0w33ze4+6WHoMxD0JZXjtndUef8fb5j5skQYDq3aTQenTh9Beag+bKyPZsFzL N5pl/M8M= X-Gm-Gg: AeBDiesLTdO9DZzgEhte4dqxVU2C8wBb+TNOyMrh7iBRdeqLUICmPqtaxu9bfSvur01 Gdojru4hNqDDAQTr4N5wgR/7JtD57aX5OTIVVPpQ96baIdVr/5ia3K+VjZlqtuRw1IYohjIM30z WD4O8izHzlapKrI7syOd0UL3s8n/m21SEXiWzpFazF4yXzbvedPUGQ7E2H4jrL1H6DVYQblm+1D Y7Mi8X/bNWN1LnyJcBY9mL51Y34YYeqbt0+6LgMEaWAQotScAg3Dcl0f6+xXtcFinaxDZjLBN4h DQL38+QdEVYt54YWiJxLWW3xCENgIdYSLnd/nn//HXzR+tXhHEeCUf6r3Fo+4/Mmk50965nKSov 3MJVX8b2ZAZvA0Zi8M+cQaZJxz5ChWVZ8RQWRe1MiHAyPWfKYEUdIIG0//gCMXaviKa7uvVY0kH /dErCv/SApqkVRfqCO9DhKQyfK2rUiKkht1IkSo7saFn06A7uIUXxW2MrrQUFO078s6oW7j0aJF ezRD7p9xF9OYItAaJe4Byc0YQxeYnYoI6pR X-Received: by 2002:a05:600c:3152:b0:489:1d7a:4537 with SMTP id 5b1f17b1804b1-48d1422bafamr73293675e9.3.1778000346110; Tue, 05 May 2026 09:59:06 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:05 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 20/23] systemd: fix for CVE-2026-40225 Date: Tue, 5 May 2026 18:57:37 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236511 From: Hitendra Prajapati Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2]. [0] https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc [1] https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d [2] https://security-tracker.debian.org/tracker/CVE-2026-40225 More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40225 Signed-off-by: Hitendra Prajapati Signed-off-by: Fabien Thomas --- .../systemd/systemd/CVE-2026-40225-01.patch | 131 ++++++++++++++++++ .../systemd/systemd/CVE-2026-40225-02.patch | 39 ++++++ meta/recipes-core/systemd/systemd_255.21.bb | 2 + 3 files changed, 172 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch new file mode 100644 index 0000000000..f616e636c2 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch @@ -0,0 +1,131 @@ +From 03bb697b8df0339c37f4b845025320b261aeb7cc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 6 Mar 2026 19:32:35 +0000 +Subject: [PATCH] udev: check for invalid chars in various fields received from + the kernel + +(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3) +(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2) +(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273) + +CVE: CVE-2026-40225 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc] +Signed-off-by: Hitendra Prajapati +--- + src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++- + src/udev/scsi_id/scsi_id.c | 5 +++-- + src/udev/udev-builtin-net_id.c | 9 +++++++++ + src/udev/v4l_id/v4l_id.c | 5 ++++- + 4 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c +index 52ea250af8..4f2c21b80b 100644 +--- a/src/udev/dmi_memory_id/dmi_memory_id.c ++++ b/src/udev/dmi_memory_id/dmi_memory_id.c +@@ -51,6 +51,7 @@ + #include "string-util.h" + #include "udev-util.h" + #include "unaligned.h" ++#include "utf8.h" + + #define SUPPORTED_SMBIOS_VER 0x030300 + +@@ -185,7 +186,7 @@ static void dmi_memory_device_string( + + str = strdupa_safe(dmi_string(h, s)); + str = strstrip(str); +- if (!isempty(str)) ++ if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL)) + printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str); + } + +diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c +index 6308c52b7e..7e18bc755a 100644 +--- a/src/udev/scsi_id/scsi_id.c ++++ b/src/udev/scsi_id/scsi_id.c +@@ -27,6 +27,7 @@ + #include "strv.h" + #include "strxcpyx.h" + #include "udev-util.h" ++#include "utf8.h" + + static const struct option options[] = { + { "device", required_argument, NULL, 'd' }, +@@ -443,8 +444,8 @@ static int scsi_id(char *maj_min_dev) { + } + if (dev_scsi.tgpt_group[0] != '\0') + printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group); +- if (dev_scsi.unit_serial_number[0] != '\0') +- printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number); ++ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL)) ++ printf("ID_SCSI_SERIAL=%s\n", serial_str); + goto out; + } + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index 91b40088f4..715184e282 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -39,6 +39,7 @@ + #include "strv.h" + #include "strxcpyx.h" + #include "udev-builtin.h" ++#include "utf8.h" + + #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1) + #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1) +@@ -247,6 +248,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re + } + } + ++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL)) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name"); ++ + /* Otherwise, use phys_port_name as is. */ + buf = strjoin("n", phys_port_name); + if (!buf) +@@ -351,6 +355,9 @@ static int names_pci_onboard_label(sd_device *dev, sd_device *pci_dev, const cha + if (r < 0) + return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m"); + ++ if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL)) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label"); ++ + char str[ALTIFNAMSIZ]; + if (snprintf_ok(str, sizeof str, "%s%s", + naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix, +@@ -1209,6 +1216,8 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) { + if (isempty(phys_port_name)) + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP), + "The 'phys_port_name' attribute is empty."); ++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL)) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name"); + + char str[ALTIFNAMSIZ]; + if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name)) +diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c +index 30527e9556..2ec96d8d3a 100644 +--- a/src/udev/v4l_id/v4l_id.c ++++ b/src/udev/v4l_id/v4l_id.c +@@ -29,6 +29,8 @@ + #include "build.h" + #include "fd-util.h" + #include "main-func.h" ++#include "string-util.h" ++#include "utf8.h" + + static const char *arg_device = NULL; + +@@ -82,7 +84,8 @@ static int run(int argc, char *argv[]) { + int capabilities; + + printf("ID_V4L_VERSION=2\n"); +- printf("ID_V4L_PRODUCT=%s\n", v2cap.card); ++ if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL)) ++ printf("ID_V4L_PRODUCT=%s\n", v2cap.card); + printf("ID_V4L_CAPABILITIES=:"); + + if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS) +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch new file mode 100644 index 0000000000..bc0a5514d4 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch @@ -0,0 +1,39 @@ +From 5887e72ff87d3a66a4c3fa91897fbec1545f4d3d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 13 Mar 2026 11:10:47 +0000 +Subject: [PATCH] udev: fix review mixup + +The previous version in the PR changed variable and sanitized it +in place. The second version switched to skip if CCs are in the +string instead, but didn't move back to the original variable. +Because it's an existing variable, no CI caught it. + +Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3 + +(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820) +(cherry picked from commit 4425d8523e79f3cc00b3b93a0b5e7c6cdc284a97) +(cherry picked from commit 75c585beae60e73208941e6b3f64cf249223f53d) + +CVE: CVE-2026-40225 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d] +Signed-off-by: Hitendra Prajapati +--- + src/udev/scsi_id/scsi_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c +index 7e18bc755a..b2df8d9f7f 100644 +--- a/src/udev/scsi_id/scsi_id.c ++++ b/src/udev/scsi_id/scsi_id.c +@@ -445,7 +445,7 @@ static int scsi_id(char *maj_min_dev) { + if (dev_scsi.tgpt_group[0] != '\0') + printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group); + if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL)) +- printf("ID_SCSI_SERIAL=%s\n", serial_str); ++ printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number); + goto out; + } + +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb index 87e186bbfa..fe9d699816 100644 --- a/meta/recipes-core/systemd/systemd_255.21.bb +++ b/meta/recipes-core/systemd/systemd_255.21.bb @@ -29,6 +29,8 @@ SRC_URI += " \ file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \ file://0008-implment-systemd-sysv-install-for-OE.patch \ + file://CVE-2026-40225-01.patch \ + file://CVE-2026-40225-02.patch \ " # patches needed by musl From patchwork Tue May 5 16:57:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25265CD3427 for ; Tue, 5 May 2026 16:59:14 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1063.1778000349195865388 for ; Tue, 05 May 2026 09:59:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=3uW6pECD; spf=pass (domain: smile.fr, ip: 209.85.128.54, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-488ab2db91aso65386955e9.3 for ; Tue, 05 May 2026 09:59:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000347; x=1778605147; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KsWTBWs4jx5EuAURA2HcZZ49V+KKU7ymDXGJmYEsswg=; b=3uW6pECDYJY8GY/tAR3NmZoEJlivIcXYBdMw6g07RqfxtPyXQOQ/0UMd0OzGVtqk5c YVEq8e4IZe4NeSpSho0/M4FNs2NenMWyf1LDtiEv7YgtHA6mPLo90LRumm6FHPgdNhA+ 22OJlwpm8NW+gTVqD714iTohI8bRexs/wpRzQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000347; x=1778605147; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=KsWTBWs4jx5EuAURA2HcZZ49V+KKU7ymDXGJmYEsswg=; b=ATmKrIXojxqQaS4hAWZA+uosgnb3pQP2DseI7CW08nVHKzdUL3kSEIRrAOhYzsq3st 1vjVGCnezsgR5j/nyn/Dt9AQQL0w6oxszXDIuFaPEJuwX003uuAVmf/HmAiQdtbhZye4 N15z4OnuuskfNQGXi3rM1ct7vNXqkEFo6Ap6zfm5baIyzRTKxOX591Srih6j+hDhJ0Hx 0z1QH4iZC0vtp/sNlxCXMmzZjv9jQekCWyTcDTjV2tTvtbX3QbbPoQJo/HppWd9YgjvD RYj1BxWJEx63ApD+PfWKfPK6qwmcu6A35Keancartou+Gx6QQK1D/v25lTe6c955tuVH sMlA== X-Gm-Message-State: AOJu0Yww61cyysk/7odBrw333PmTZdk+ud1JfdiPE9/VsE1b3iBmWn0O 9KC0ystIzSLRpdX2d8U6DKHhyQBbFi/fKNOstYwXzrGqf7d5jP2NGNtC8QUEIX/Ur1RG2kMcc/f ueDhxbs0= X-Gm-Gg: AeBDiesT7oZjg1xDCgA0QuGi6LY8KEfdJjE/e80PKlHxERFX9p6XFL+WtbZB6sNztlm Z3gNPRt5Jwdhi+vKEPbJwW2zTLug7gfyrnpMCmlBSM6gawTPaDjwagsycKfccGoFRSzDXR83xRh LV/xLHTogFseCHkok6m8gDKTT4eG8hnzURgfOYUk5qDZ7zD0Mu4toCRewo2qrZY1NjFS/4e5zyQ OeUpeBEqguZ5YLrr4kRdsUD38TpZsl6dMJ3gOisESDKioxCvW/z+PuKztRI6mWY/yT2snyppDSx 9fNFETlr1SXpM76udCYWfZS9iwL1dzESBk+I3qZq99tbwaGIRgdd//6Kgb/3eP20Lz9o7yMlVWR cdVs82lVX3Usw+mXeudPs7yW38ldfYHB+0jH1+BtrgODomLabtlqehn7DkNNPQJNG2m4+lAd2f6 E8BS1g5p34PWE4zhcALNfZeQr7rnfrWtoiXi2iHt60KftfYlIv9h5zI3L8tL7fpN4g9bFrb6ADg 2ZURo8yo//Ejl+TtDQrFRtdIg== X-Received: by 2002:a05:600c:1d18:b0:488:78f2:6b0 with SMTP id 5b1f17b1804b1-48e51f41b9cmr841145e9.29.1778000347306; Tue, 05 May 2026 09:59:07 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:06 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 21/23] systemd: fix for CVE-2026-40226 Date: Tue, 5 May 2026 18:57:38 +0200 Message-ID: <84dc87ab504b8b357e7703a911c4f131aa971fe7.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236512 From: Hitendra Prajapati Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2]. [0] https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a [1] https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a [2] https://security-tracker.debian.org/tracker/CVE-2026-40226 More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40226 Signed-off-by: Hitendra Prajapati Signed-off-by: Fabien Thomas --- .../systemd/systemd/CVE-2026-40226-01.patch | 63 +++++++++++++++++++ .../systemd/systemd/CVE-2026-40226-02.patch | 39 ++++++++++++ meta/recipes-core/systemd/systemd_255.21.bb | 2 + 3 files changed, 104 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch new file mode 100644 index 0000000000..6f2893cab7 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch @@ -0,0 +1,63 @@ +From 773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Mar 2026 12:15:26 +0000 +Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if + trusted + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df +Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a + +(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40) +(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91) +(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc) + + +CVE: CVE-2026-40226 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a] +Signed-off-by: Hitendra Prajapati +--- + src/nspawn/nspawn.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 005a3d2be1..0ac0c94f06 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -4275,8 +4275,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 && +- settings->ephemeral >= 0) +- arg_ephemeral = settings->ephemeral; ++ settings->ephemeral >= 0) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring ephemeral setting, file %s is not trusted.", path); ++ else ++ arg_ephemeral = settings->ephemeral; ++ } + + if ((arg_settings_mask & SETTING_DIRECTORY) == 0 && + settings->root) { +@@ -4444,8 +4449,13 @@ static int merge_settings(Settings *settings, const char *path) { + } + + if ((arg_settings_mask & SETTING_BIND_USER) == 0 && +- !strv_isempty(settings->bind_user)) +- strv_free_and_replace(arg_bind_user, settings->bind_user); ++ !strv_isempty(settings->bind_user)) { ++ ++ if (!arg_settings_trusted) ++ log_warning("Ignoring bind user setting, file %s is not trusted.", path); ++ else ++ strv_free_and_replace(arg_bind_user, settings->bind_user); ++ } + + if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 && + settings->notify_ready >= 0) +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch new file mode 100644 index 0000000000..47f780e6c5 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch @@ -0,0 +1,39 @@ +From bfa0a842822c4f79da9d47f8a773fd128d8f8a0a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Mar 2026 13:27:14 +0000 +Subject: [PATCH] nspawn: normalize pivot_root paths + +Originally reported on yeswehack.com as: +YWH-PGM9780-116 + +Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672 + +(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373) +(cherry picked from commit 6566dc1451089e07090f5a114ae2eb43ed39188d) +(cherry picked from commit 1c55a0a5e26a07df828f72092ad1203e221b60db) + +CVE: CVE-2026-40226 +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a] +Signed-off-by: Hitendra Prajapati +--- + src/nspawn/nspawn-mount.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c +index 470f477f22..09c442a63a 100644 +--- a/src/nspawn/nspawn-mount.c ++++ b/src/nspawn/nspawn-mount.c +@@ -1255,7 +1255,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s + + if (!path_is_absolute(root_new)) + return -EINVAL; +- if (root_old && !path_is_absolute(root_old)) ++ if (!path_is_normalized(root_new)) ++ return -EINVAL; ++ if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old))) + return -EINVAL; + + free_and_replace(*pivot_root_new, root_new); +-- +2.50.1 + diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb index fe9d699816..9c5f8af240 100644 --- a/meta/recipes-core/systemd/systemd_255.21.bb +++ b/meta/recipes-core/systemd/systemd_255.21.bb @@ -31,6 +31,8 @@ SRC_URI += " \ file://0008-implment-systemd-sysv-install-for-OE.patch \ file://CVE-2026-40225-01.patch \ file://CVE-2026-40225-02.patch \ + file://CVE-2026-40226-01.patch \ + file://CVE-2026-40226-02.patch \ " # patches needed by musl From patchwork Tue May 5 16:57:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87539 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AF6ACD343B for ; Tue, 5 May 2026 16:59:14 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1064.1778000350760564985 for ; Tue, 05 May 2026 09:59:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=OPzzdmZ1; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so53164255e9.0 for ; Tue, 05 May 2026 09:59:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000349; x=1778605149; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=yMgbeviAuWQdOzNo3YmG1vpGsCOX84ejd/Dd3yM6jAo=; b=OPzzdmZ1W8eIQuHmO6+5uDTM8Vur3pDk8pymV6IXciLmTwwFehq5mxtmc/LjpsiVKI JsUTLN1uThMn9nxn/fsgjsvfnyxIDO7MAvT1ljNiZGf0NgxEMk8u2TQ7wdG75a8AtGHX n3kywa0/Vto/oRsDSpVpW1z2imA2TZvNHJh6E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000349; x=1778605149; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=yMgbeviAuWQdOzNo3YmG1vpGsCOX84ejd/Dd3yM6jAo=; b=XXFEC9L5IJjxt3dVFSPbfDRsP2PAwdlw/aXW8S48eML+BO8pTDIpWO0+6vJeSuqTP/ +etODHRftvhbTIFXA9/Sio6vNhzkVU4nI+QgNFRURr+jDrrAC3xd+6H+2+qMJ44kIwHi Ve0bgCrPAK0w64MptZM2OY4cRpB3FzVdt2XoEuBNSwknigRCNyeBet13Kw7nrD0kTslE RQsfP7LCHsPCqjea9fwUt2Fk8MF8XQFvFpHMzePyOcboJD9Vqiic8JLDsZJ75kaWHH44 SkurxPZQ96Jvb79L3A8SBy7kFsfjEXuK5rs3LmgcWHudQdg72zCxSSu7QB1WxdP9Rbmq Cukg== X-Gm-Message-State: AOJu0YzKVbYWQmC09D683rDMWkaBPwk7hVc7dZzhtQaADLkZaJ+cVy8+ rLe90tY004D2StRaqePIy0R2oKw8ER4ekQL9Rt5HwOs0nwvHlkN51S4VyBdkNe8lzdzuSObhKZr ptt6PqH8= X-Gm-Gg: AeBDiet1p4TdcLONviZmeQznBWEhv48VwCb1kTG+a3XFGHrjTDDk4i/hxl2WVioGBmm +mQ+JmznGQ8ZZZC1vExzOhbTeCzB/9uZ7Bj7LOwMz0McOg9Dcwe43/lPBqGx70oyqTSFa6F2AB7 U3ysLUGdKrhWW8QImgRpRzyAQ3ezDDS/ROLs1xzvIXH7oNrW9630IwJOoO6hTto3jF7x4BLguL4 t6D3XHrygpRvuouBPdMUnLv2/k87cj7CfskXFw7wyHyFKe79Ch/zvmailZaynrBRBe7bPWf1kmj mXjtmGVc6LpC0F5B/oXicEaCs++Lp4jVIOf+A+h7poWg9CRnkkPCQBfYeZCMeWZUKqt4WimThB1 22Ib5zwY+TVVM9PJagRg8WtqdG/ODHPaiwaC9PgK+G3Mu3Pakjk8cOmlIon2j6gbJNBuDe8J+kS hhyENyJurlNwu37xEyflOCukrLQIt8N4C1WFfi3u/8G3L53UOfYHeDFQET5hw5y65rT5GineMEu 3a/u4QBeIuoV6WzjYV1UXCQhA== X-Received: by 2002:a05:600c:34c8:b0:486:fd5c:2b35 with SMTP id 5b1f17b1804b1-48e51f2f85emr984985e9.13.1778000348768; Tue, 05 May 2026 09:59:08 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:07 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 22/23] libsoup: fix CVE-2025-14523 Date: Tue, 5 May 2026 18:57:39 +0200 Message-ID: <277297409dbf0bdb17653419e2d5e4a5ee8f33d5.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236513 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/work_items/472 Signed-off-by: Changqing Li Signed-off-by: Fabien Thomas --- .../libsoup-3.4.4/CVE-2025-14523.patch | 715 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 + 2 files changed, 716 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch new file mode 100644 index 0000000000..1cf5c9d667 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch @@ -0,0 +1,715 @@ +From 70123da95418f5d6e00e8ac2d586fb6c5d02cdc6 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 7 Jan 2026 14:50:33 -0600 +Subject: [PATCH] Reject duplicate Host headers + +RFC 9112 section 3.2 says: + +A server MUST respond with a 400 (Bad Request) status code to any +HTTP/1.1 request message that lacks a Host header field and to any +request message that contains more than one Host header field line or a +Host header field with an invalid field value. + +In addition to rejecting a duplicate header when parsing headers, also +reject attempts to add the duplicate header using the +soup_message_headers_append() API, and add tests for both cases. + +These checks will also apply to HTTP/2. I'm not sure whether this is +actually desired or not, but the header processing code is not aware of +which HTTP version is in use. + +(Note that while SoupMessageHeaders does not require the Host header to +be present in an HTTP/1.1 request, SoupServer itself does. So we can't +test the case of missing Host header via the header parsing test, but it +really is enforced.) + +Fixes #472 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/aecd8daadc110f8561fb2d6b2806a4cacf2e4c85] +CVE: CVE-2025-14523 + +Signed-off-by: Changqing Li +--- + libsoup/soup-headers.c | 3 +- + libsoup/soup-message-headers-private.h | 4 +- + libsoup/soup-message-headers.c | 80 +++++++------ + tests/header-parsing-test.c | 148 +++++++++++++++++-------- + 4 files changed, 153 insertions(+), 82 deletions(-) + +diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c +index 155c11d..3fec9b3 100644 +--- a/libsoup/soup-headers.c ++++ b/libsoup/soup-headers.c +@@ -139,7 +139,8 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest) + for (p = strchr (value, '\r'); p; p = strchr (p, '\r')) + *p = ' '; + +- soup_message_headers_append_untrusted_data (dest, name, value); ++ if (!soup_message_headers_append_untrusted_data (dest, name, value)) ++ goto done; + } + success = TRUE; + +diff --git a/libsoup/soup-message-headers-private.h b/libsoup/soup-message-headers-private.h +index 9815464..770f3ef 100644 +--- a/libsoup/soup-message-headers-private.h ++++ b/libsoup/soup-message-headers-private.h +@@ -10,10 +10,10 @@ + + G_BEGIN_DECLS + +-void soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, ++gboolean soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, + const char *name, + const char *value); +-void soup_message_headers_append_common (SoupMessageHeaders *hdrs, ++gboolean soup_message_headers_append_common (SoupMessageHeaders *hdrs, + SoupHeaderName name, + const char *value); + const char *soup_message_headers_get_one_common (SoupMessageHeaders *hdrs, +diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c +index d69d6e8..ce4b3b3 100644 +--- a/libsoup/soup-message-headers.c ++++ b/libsoup/soup-message-headers.c +@@ -267,12 +267,16 @@ soup_message_headers_clean_connection_headers (SoupMessageHeaders *hdrs) + soup_header_free_list (tokens); + } + +-void ++gboolean + soup_message_headers_append_common (SoupMessageHeaders *hdrs, + SoupHeaderName name, + const char *value) + { + SoupCommonHeader header; ++ if (name == SOUP_HEADER_HOST && soup_message_headers_get_one (hdrs, "Host")) { ++ g_warning ("soup_message_headers_append_common: Rejecting duplicate Host header"); ++ return FALSE; ++ } + + if (!hdrs->common_headers) + hdrs->common_headers = g_array_sized_new (FALSE, FALSE, sizeof (SoupCommonHeader), 6); +@@ -284,32 +288,18 @@ soup_message_headers_append_common (SoupMessageHeaders *hdrs, + g_hash_table_remove (hdrs->common_concat, GUINT_TO_POINTER (header.name)); + + soup_message_headers_set (hdrs, name, value); ++ return TRUE; + } + +-/** +- * soup_message_headers_append: +- * @hdrs: a #SoupMessageHeaders +- * @name: the header name to add +- * @value: the new value of @name +- * +- * Appends a new header with name @name and value @value to @hdrs. +- * +- * (If there is an existing header with name @name, then this creates a second +- * one, which is only allowed for list-valued headers; see also +- * [method@MessageHeaders.replace].) +- * +- * The caller is expected to make sure that @name and @value are +- * syntactically correct. +- **/ +-void +-soup_message_headers_append (SoupMessageHeaders *hdrs, +- const char *name, const char *value) ++static gboolean ++soup_message_headers_append_internal (SoupMessageHeaders *hdrs, ++ const char *name, const char *value) + { + SoupUncommonHeader header; + SoupHeaderName header_name; + +- g_return_if_fail (name != NULL); +- g_return_if_fail (value != NULL); ++ g_return_val_if_fail (name != NULL, FALSE); ++ g_return_val_if_fail (value != NULL, FALSE); + + /* Setting a syntactically invalid header name or value is + * considered to be a programming error. However, it can also +@@ -317,23 +307,22 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + * compiled with G_DISABLE_CHECKS. + */ + #ifndef G_DISABLE_CHECKS +- g_return_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL); +- g_return_if_fail (strpbrk (value, "\r\n") == NULL); ++ g_return_val_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL, FALSE); ++ g_return_val_if_fail (strpbrk (value, "\r\n") == NULL, FALSE); + #else + if (*name && strpbrk (name, " \t\r\n:")) { +- g_warning ("soup_message_headers_append: Ignoring bad name '%s'", name); +- return; ++ g_warning ("soup_message_headers_append: Rejecting bad name '%s'", name); ++ return FALSE; + } + if (strpbrk (value, "\r\n")) { +- g_warning ("soup_message_headers_append: Ignoring bad value '%s'", value); +- return; ++ g_warning ("soup_message_headers_append: Rejecting bad value '%s'", value); ++ return FALSE; + } + #endif + + header_name = soup_header_name_from_string (name); + if (header_name != SOUP_HEADER_UNKNOWN) { +- soup_message_headers_append_common (hdrs, header_name, value); +- return; ++ return soup_message_headers_append_common (hdrs, header_name, value); + } + + if (!hdrs->uncommon_headers) +@@ -344,21 +333,48 @@ soup_message_headers_append (SoupMessageHeaders *hdrs, + g_array_append_val (hdrs->uncommon_headers, header); + if (hdrs->uncommon_concat) + g_hash_table_remove (hdrs->uncommon_concat, header.name); ++ return TRUE; ++} ++ ++/** ++ * soup_message_headers_append: ++ * @hdrs: a #SoupMessageHeaders ++ * @name: the header name to add ++ * @value: the new value of @name ++ * ++ * Appends a new header with name @name and value @value to @hdrs. ++ * ++ * (If there is an existing header with name @name, then this creates a second ++ * one, which is only allowed for list-valued headers; see also ++ * [method@MessageHeaders.replace].) ++ * ++ * The caller is expected to make sure that @name and @value are ++ * syntactically correct. ++ **/ ++void ++soup_message_headers_append (SoupMessageHeaders *hdrs, ++ const char *name, const char *value) ++{ ++ soup_message_headers_append_internal (hdrs, name, value); + } + + /* +- * Appends a header value ensuring that it is valid UTF8. ++ * Appends a header value ensuring that it is valid UTF-8, and also checking the ++ * return value of soup_message_headers_append_internal() to report whether the ++ * headers are invalid for various other reasons. + */ +-void ++gboolean + soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs, + const char *name, + const char *value) + { + char *safe_value = g_utf8_make_valid (value, -1); + char *safe_name = g_utf8_make_valid (name, -1); +- soup_message_headers_append (hdrs, safe_name, safe_value); ++ gboolean result = soup_message_headers_append_internal (hdrs, safe_name, safe_value); ++ + g_free (safe_value); + g_free (safe_name); ++ return result; + } + + void +diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c +index 9490559..98a22a4 100644 +--- a/tests/header-parsing-test.c ++++ b/tests/header-parsing-test.c +@@ -24,6 +24,7 @@ static struct RequestTest { + const char *method, *path; + SoupHTTPVersion version; + Header headers[10]; ++ GLogLevelFlags log_flags; + } reqtests[] = { + /**********************/ + /*** VALID REQUESTS ***/ +@@ -33,7 +34,7 @@ static struct RequestTest { + "GET / HTTP/1.0\r\n", -1, + SOUP_STATUS_OK, + "GET", "/", SOUP_HTTP_1_0, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Req w/ 1 header", NULL, +@@ -42,7 +43,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, no leading whitespace", NULL, +@@ -51,7 +52,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header including trailing whitespace", NULL, +@@ -60,7 +61,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped", NULL, +@@ -69,7 +70,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped with additional whitespace", NULL, +@@ -78,7 +79,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped with tab", NULL, +@@ -87,7 +88,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header, wrapped before value", NULL, +@@ -96,7 +97,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 1 header with empty value", NULL, +@@ -105,7 +106,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 2 headers", NULL, +@@ -115,7 +116,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Connection", "close" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers", NULL, +@@ -126,7 +127,7 @@ static struct RequestTest { + { "Connection", "close" }, + { "Blah", "blah" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 1st wrapped", NULL, +@@ -137,7 +138,7 @@ static struct RequestTest { + { "Foo", "bar baz" }, + { "Blah", "blah" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 2nd wrapped", NULL, +@@ -148,7 +149,7 @@ static struct RequestTest { + { "Blah", "blah" }, + { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ 3 headers, 3rd wrapped", NULL, +@@ -159,7 +160,7 @@ static struct RequestTest { + { "Blah", "blah" }, + { "Foo", "bar baz" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ same header multiple times", NULL, +@@ -168,7 +169,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Foo", "bar, baz, quux" }, + { NULL } +- } ++ }, 0 + }, + + { "Connection header on HTTP/1.0 message", NULL, +@@ -178,21 +179,21 @@ static struct RequestTest { + { { "Connection", "Bar, Quux" }, + { "Foo", "bar" }, + { NULL } +- } ++ }, 0 + }, + + { "GET with full URI", "667637", + "GET http://example.com HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "http://example.com", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "GET with full URI in upper-case", "667637", + "GET HTTP://example.com HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "HTTP://example.com", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + /* It's better for this to be passed through: this means a SoupServer +@@ -202,7 +203,7 @@ static struct RequestTest { + "GET AbOuT: HTTP/1.1\r\n", -1, + SOUP_STATUS_OK, + "GET", "AbOuT:", SOUP_HTTP_1_1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + /****************************/ +@@ -217,7 +218,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* RFC 2616 section 3.1 says we MUST accept this */ +@@ -228,7 +229,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* RFC 2616 section 19.3 says we SHOULD accept these */ +@@ -240,7 +241,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Connection", "close" }, + { NULL } +- } ++ }, 0 + }, + + { "LF instead of CRLF after Request-Line", NULL, +@@ -249,7 +250,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Mixed CRLF/LF", "666316", +@@ -261,7 +262,7 @@ static struct RequestTest { + { "e", "f" }, + { "g", "h" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ incorrect whitespace in Request-Line", NULL, +@@ -270,7 +271,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + { "Req w/ incorrect whitespace after Request-Line", "475169", +@@ -279,7 +280,7 @@ static struct RequestTest { + "GET", "/", SOUP_HTTP_1_1, + { { "Host", "example.com" }, + { NULL } +- } ++ }, 0 + }, + + /* If the request/status line is parseable, then we +@@ -293,7 +294,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "Bar", "two" }, + { NULL } +- } ++ }, 0 + }, + + { "First header line is continuation", "666316", +@@ -303,7 +304,7 @@ static struct RequestTest { + { { "Host", "example.com" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Zero-length header name", "666316", +@@ -313,7 +314,7 @@ static struct RequestTest { + { { "a", "b" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "CR in header name", "666316", +@@ -323,7 +324,7 @@ static struct RequestTest { + { { "a", "b" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "CR in header value", "666316", +@@ -336,7 +337,7 @@ static struct RequestTest { + { "s", "t" }, /* CR at end is ignored */ + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Tab in header name", "666316", +@@ -351,7 +352,7 @@ static struct RequestTest { + { "p", "q z: w" }, + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + { "Tab in header value", "666316", +@@ -364,7 +365,7 @@ static struct RequestTest { + { "z", "w" }, /* trailing tab ignored */ + { "c", "d" }, + { NULL } +- } ++ }, 0 + }, + + /************************/ +@@ -375,77 +376,77 @@ static struct RequestTest { + "GET /\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "HTTP 1.2 request (no such thing)", NULL, + "GET / HTTP/1.2\r\n", -1, + SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "HTTP 2000 request (no such thing)", NULL, + "GET / HTTP/2000.0\r\n", -1, + SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404", + unterminated_http_version, sizeof (unterminated_http_version), + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Non-HTTP request", NULL, + "GET / SOUP/1.1\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Junk after Request-Line", NULL, + "GET / HTTP/1.1 blah\r\nHost: example.com\r\n", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in Method", NULL, + "G\x00T / HTTP/1.1\r\nHost: example.com\r\n", 37, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL at beginning of Method", "666316", + "\x00 / HTTP/1.1\r\nHost: example.com\r\n", 35, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in Path", NULL, + "GET /\x00 HTTP/1.1\r\nHost: example.com\r\n", 38, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "No terminating CRLF", NULL, + "GET / HTTP/1.1\r\nHost: example.com", -1, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Unrecognized expectation", NULL, + "GET / HTTP/1.1\r\nHost: example.com\r\nExpect: the-impossible\r\n", -1, + SOUP_STATUS_EXPECTATION_FAILED, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 +@@ -453,21 +454,40 @@ static struct RequestTest { + "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "NUL in header value", NULL, + "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28, + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 + }, + + { "Only newlines", NULL, + only_newlines, sizeof (only_newlines), + SOUP_STATUS_BAD_REQUEST, + NULL, NULL, -1, +- { { NULL } } ++ { { NULL } }, 0 ++ }, ++ { "Duplicate Host headers", ++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472", ++ "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n", ++ -1, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } }, ++ G_LOG_LEVEL_WARNING ++ }, ++ ++ { "Duplicate Host headers, case insensitive", ++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472", ++ "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n", ++ -1, ++ SOUP_STATUS_BAD_REQUEST, ++ NULL, NULL, -1, ++ { { NULL } }, ++ G_LOG_LEVEL_WARNING + } + }; + static const int num_reqtests = G_N_ELEMENTS (reqtests); +@@ -915,10 +935,17 @@ do_request_tests (void) + len = strlen (reqtests[i].request); + else + len = reqtests[i].length; ++ ++ if (reqtests[i].log_flags) ++ g_test_expect_message ("libsoup", reqtests[i].log_flags, "*"); ++ + status = soup_headers_parse_request (reqtests[i].request, len, + headers, &method, &path, + &version); + g_assert_cmpint (status, ==, reqtests[i].status); ++ if (reqtests[i].log_flags) ++ g_test_assert_expected_messages (); ++ + if (SOUP_STATUS_IS_SUCCESSFUL (status)) { + g_assert_cmpstr (method, ==, reqtests[i].method); + g_assert_cmpstr (path, ==, reqtests[i].path); +@@ -1312,6 +1339,32 @@ do_bad_header_tests (void) + soup_message_headers_unref (hdrs); + } + ++static void ++do_append_duplicate_host_test (void) ++{ ++ SoupMessageHeaders *hdrs; ++ const char *list_value; ++ ++ hdrs = soup_message_headers_new (SOUP_MESSAGE_HEADERS_REQUEST); ++ soup_message_headers_append (hdrs, "Host", "a"); ++ ++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING, ++ "soup_message_headers_append_common: Rejecting duplicate Host header"); ++ soup_message_headers_append (hdrs, "Host", "b"); ++ g_test_assert_expected_messages (); ++ ++ /* Case insensitive */ ++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING, ++ "soup_message_headers_append_common: Rejecting duplicate Host header"); ++ soup_message_headers_append (hdrs, "host", "b"); ++ g_test_assert_expected_messages (); ++ ++ list_value = soup_message_headers_get_list (hdrs, "Host"); ++ g_assert_cmpstr (list_value, ==, "a"); ++ ++ soup_message_headers_unref (hdrs); ++} ++ + int + main (int argc, char **argv) + { +@@ -1327,6 +1380,7 @@ main (int argc, char **argv) + g_test_add_func ("/header-parsing/content-type", do_content_type_tests); + g_test_add_func ("/header-parsing/append-param", do_append_param_tests); + g_test_add_func ("/header-parsing/bad", do_bad_header_tests); ++ g_test_add_func ("/header-parsing/append-duplicate-host", do_append_duplicate_host_test); + + ret = g_test_run (); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index c09b06fec2..6be31806f1 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -46,6 +46,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-2784.patch \ file://CVE-2025-4945.patch \ file://CVE-2025-12105.patch \ + file://CVE-2025-14523.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa" From patchwork Tue May 5 16:57:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Thomas X-Patchwork-Id: 87535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECCE9CD3439 for ; Tue, 5 May 2026 16:59:13 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1065.1778000352039312851 for ; Tue, 05 May 2026 09:59:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=0ZC6NdDx; spf=pass (domain: smile.fr, ip: 209.85.128.53, mailfrom: fabien.thomas@smile.fr) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-488b0e1b870so86720075e9.2 for ; Tue, 05 May 2026 09:59:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1778000350; x=1778605150; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=pC0wmsQZctulyjQEgdRsy6j0JbfRkC7MJ5aedAjqEZs=; b=0ZC6NdDxcaelS0OXyGDBgYjoLY0AQto5RzSBGU+6djob2qnDdiCVVR/pSYm8ABp53m Wn4wwGyXgccoVpVW6ZQBjtPAVU0Cf5gJjgY91DBkTdVRXcOiDOLX01fdtksB99HNFgN8 W72pnT/sXllsUnVDPphPdHKi+mIS4dt0xeZZM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778000350; x=1778605150; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=pC0wmsQZctulyjQEgdRsy6j0JbfRkC7MJ5aedAjqEZs=; b=HRa1Gxw+U1H/8DZCM0456G2btj1A4OyqdgO4Svmxgm8xyMKcsn1vorSgXk3cU9E8S8 O1qKYYnFCvXmXdF9O119yRJz23gAJ/4IA/oWBkuL6QIYC2bDe64WWrZMMsCXfEht63e7 O2O1N5BrrdvFyn29tmEykif62COxl+eAwPhSoYjGy5AawnhRdvrNRFBIAhU3QhXc7Ra6 GEfwWzikMIIThG3myowGB6FHRfMUBvWeFSUF5vyGYamwFG+yj20jZT+hpida72bXbO9f PYruNiAtlj2lvja5FXjym+YDUI0zTVdgBUlu72X270IvNSNXncvFT9yoLqmZvnsOmK0p 9ezA== X-Gm-Message-State: AOJu0Yzr03Lg5NjVOXnccA2I8n6hu2HmQPOJCjEhA6cJcgqEzs88r7+K kWXMztfCHnjp9G+cuuanTw7YjsZSMgWNLwBF1caRCjQPDi5b/ogy6c86F75AkpyENMoYmuyooUM vIQhASEE= X-Gm-Gg: AeBDiev7gDoNgY2jLqWqEKF8/fLbIkbPt+pRLKYWzP0VAQ9cTt0jOzxv60BN2EXVvXa Jlnw5jG5mpm/awLegQESoePgGCAWmU1FBUHqIseRM9pPPRzzNa6gGTMmtKsd4NttVj+2s65r3le 8Vs97t430tKwOVSgqqCjb/qSjwqeRdGzBIHoM8MUpImeGpwyuKvHdZjBGfs8cdZVTqNkOdnMQDU EaPQob9M4y2SXtWtvkkTfTBxbFfWquuhqde29pDdWdEnjtJ21VXTUbp2G0y9n2tsmG2j9oNfmth SxvJ30S3tfbERTEFVlL+Ocg6wu4Tj/PieYT2r8sIxVB2xAqy2idAFB7PudBufp847mE/HFACscQ qtLaT8bAEi4CrqILNjYOs0mQPt7HSehSnZbq2lcmoWKh62U4BB3peB5eN8m1FYac/XXFJKPwNjG XExojG4nSq8VA3hD2wGpnPPQ9Ah7J9Oe+qDIkZTZMt+Bau7ohsCpB/qjjb36g1J7RCxsS7QJEDd hUDs5dV0sWOfC5koZbczaTULtImC7sevx7f X-Received: by 2002:a05:600c:b8a:b0:48a:5574:3a48 with SMTP id 5b1f17b1804b1-48e51f32bf7mr727515e9.16.1778000349941; Tue, 05 May 2026 09:59:09 -0700 (PDT) Received: from localhost ([2a01:e0a:8cc:5b00:b8fa:c45c:f26d:53a3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e51f6805fsm60025e9.2.2026.05.05.09.59.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 09:59:09 -0700 (PDT) From: Fabien Thomas To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 23/23] libsoup: fix CVE-2025-32049 Date: Tue, 5 May 2026 18:57:40 +0200 Message-ID: <3c2f2b6f7af2bb743655859b64faae4786080cb9.1777995876.git.fabien.thomas@smile.fr> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 May 2026 16:59:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/236514 From: Changqing Li Refer: https://gitlab.gnome.org/GNOME/libsoup/-/issues/390 Signed-off-by: Changqing Li Signed-off-by: Fabien Thomas --- .../libsoup-3.4.4/CVE-2025-32049-1.patch | 229 ++++++++++++++ .../libsoup-3.4.4/CVE-2025-32049-2.patch | 34 ++ .../libsoup-3.4.4/CVE-2025-32049-3.patch | 134 ++++++++ .../libsoup-3.4.4/CVE-2025-32049-4.patch | 292 ++++++++++++++++++ meta/recipes-support/libsoup/libsoup_3.4.4.bb | 4 + 5 files changed, 693 insertions(+) create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch new file mode 100644 index 0000000000..0772c759dc --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch @@ -0,0 +1,229 @@ +From 176cb31003252a69d3fc7908e8f505c0ee006b7a Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Wed, 24 Jul 2024 15:20:35 +0200 +Subject: [PATCH 1/4] websocket: add a way to restrict the total message size + +Otherwise a client could send small packages smaller than +total-incoming-payload-size but still to break the server +with a big allocation + +Fixes: #390 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/websocket/soup-websocket-connection.c | 107 +++++++++++++++++- + libsoup/websocket/soup-websocket-connection.h | 7 ++ + 2 files changed, 110 insertions(+), 4 deletions(-) + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index 5eb8150..19bdd39 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -84,7 +84,7 @@ enum { + PROP_MAX_INCOMING_PAYLOAD_SIZE, + PROP_KEEPALIVE_INTERVAL, + PROP_EXTENSIONS, +- ++ PROP_MAX_TOTAL_MESSAGE_SIZE, + LAST_PROPERTY + }; + +@@ -126,6 +126,7 @@ typedef struct { + char *origin; + char *protocol; + guint64 max_incoming_payload_size; ++ guint64 max_total_message_size; + guint keepalive_interval; + + gushort peer_close_code; +@@ -156,6 +157,7 @@ typedef struct { + } SoupWebsocketConnectionPrivate; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -670,8 +672,8 @@ bad_data_error_and_close (SoupWebsocketConnection *self) + } + + static void +-too_big_error_and_close (SoupWebsocketConnection *self, +- guint64 payload_len) ++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self, ++ guint64 payload_len) + { + SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); + GError *error; +@@ -687,6 +689,24 @@ too_big_error_and_close (SoupWebsocketConnection *self, + emit_error_and_close (self, error, TRUE); + } + ++static void ++too_big_message_error_and_close (SoupWebsocketConnection *self, ++ guint64 len) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ GError *error; ++ ++ error = g_error_new_literal (SOUP_WEBSOCKET_ERROR, ++ SOUP_WEBSOCKET_CLOSE_TOO_BIG, ++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? ++ "Received WebSocket payload from the client larger than configured max-total-message-size" : ++ "Received WebSocket payload from the server larger than configured max-total-message-size"); ++ g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT, ++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client", ++ len, priv->max_total_message_size); ++ emit_error_and_close (self, error, TRUE); ++} ++ + static void + close_connection (SoupWebsocketConnection *self, + gushort code, +@@ -918,6 +938,12 @@ process_contents (SoupWebsocketConnection *self, + switch (priv->message_opcode) { + case 0x01: + case 0x02: ++ /* Safety valve */ ++ if (priv->max_total_message_size > 0 && ++ (priv->message_data->len + payload_len) > priv->max_total_message_size) { ++ too_big_message_error_and_close (self, (priv->message_data->len + payload_len)); ++ return; ++ } + g_byte_array_append (priv->message_data, payload, payload_len); + break; + default: +@@ -1056,7 +1082,7 @@ process_frame (SoupWebsocketConnection *self) + /* Safety valve */ + if (priv->max_incoming_payload_size > 0 && + payload_len > priv->max_incoming_payload_size) { +- too_big_error_and_close (self, payload_len); ++ too_big_incoming_payload_error_and_close (self, payload_len); + return FALSE; + } + +@@ -1363,6 +1389,10 @@ soup_websocket_connection_get_property (GObject *object, + g_value_set_pointer (value, priv->extensions); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ g_value_set_uint64 (value, priv->max_total_message_size); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1416,6 +1446,10 @@ soup_websocket_connection_set_property (GObject *object, + priv->extensions = g_value_get_pointer (value); + break; + ++ case PROP_MAX_TOTAL_MESSAGE_SIZE: ++ priv->max_total_message_size = g_value_get_uint64 (value); ++ break; ++ + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec); + break; +@@ -1628,6 +1662,26 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + G_PARAM_CONSTRUCT_ONLY | + G_PARAM_STATIC_STRINGS); + ++ /** ++ * SoupWebsocketConnection:max-total-message-size: ++ * ++ * The total message size for incoming packets. ++ * ++ * The protocol expects or 0 to not limit it. ++ * ++ * Since: 3.8 ++ */ ++ properties[PROP_MAX_TOTAL_MESSAGE_SIZE] = ++ g_param_spec_uint64 ("max-total-message-size", ++ "Max total message size", ++ "Max total message size ", ++ 0, ++ G_MAXUINT64, ++ MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ G_PARAM_READWRITE | ++ G_PARAM_CONSTRUCT | ++ G_PARAM_STATIC_STRINGS); ++ + g_object_class_install_properties (gobject_class, LAST_PROPERTY, properties); + + /** +@@ -2111,6 +2165,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection + } + } + ++/** ++ * soup_websocket_connection_get_max_total_message_size: ++ * @self: the WebSocket ++ * ++ * Gets the maximum total message size allowed for packets. ++ * ++ * Returns: the maximum total message size. ++ * ++ * Since: 3.8 ++ */ ++guint64 ++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ ++ return priv->max_total_message_size; ++} ++ ++/** ++ * soup_websocket_connection_set_max_total_message_size: ++ * @self: the WebSocket ++ * @max_total_message_size: the maximum total message size ++ * ++ * Sets the maximum total message size allowed for packets. ++ * ++ * It does not limit the outgoing packet size. ++ * ++ * Since: 3.8 ++ */ ++void ++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size) ++{ ++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); ++ ++ g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self)); ++ ++ if (priv->max_total_message_size != max_total_message_size) { ++ priv->max_total_message_size = max_total_message_size; ++ g_object_notify_by_pspec (G_OBJECT (self), properties[PROP_MAX_TOTAL_MESSAGE_SIZE]); ++ } ++} ++ + /** + * soup_websocket_connection_get_keepalive_interval: + * @self: the WebSocket +diff --git a/libsoup/websocket/soup-websocket-connection.h b/libsoup/websocket/soup-websocket-connection.h +index eeb093d..922de56 100644 +--- a/libsoup/websocket/soup-websocket-connection.h ++++ b/libsoup/websocket/soup-websocket-connection.h +@@ -88,6 +88,13 @@ SOUP_AVAILABLE_IN_ALL + void soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection *self, + guint64 max_incoming_payload_size); + ++SOUP_AVAILABLE_IN_3_0 ++guint64 soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self); ++ ++SOUP_AVAILABLE_IN_3_0 ++void soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self, ++ guint64 max_total_message_size); ++ + SOUP_AVAILABLE_IN_ALL + guint soup_websocket_connection_get_keepalive_interval (SoupWebsocketConnection *self); + +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch new file mode 100644 index 0000000000..6f00fabfdb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch @@ -0,0 +1,34 @@ +From 81eb7cf7422878f0b78b833a3b741f734502921f Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Fri, 20 Sep 2024 12:12:38 +0200 +Subject: [PATCH 2/4] websocket-test: set the total message size + +This is required when sending a big amount of data + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4904a46a2d9a014efa6be01a186ac353dbf5047b] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + tests/websocket-test.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index a0b8334..827b041 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -567,6 +567,11 @@ test_send_big_packets (Test *test, + soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1); + g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1)); + ++ soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1); ++ g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1)); ++ soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1); ++ g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1)); ++ + sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); + WAIT_UNTIL (received != NULL); +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch new file mode 100644 index 0000000000..29fb0d7ddb --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch @@ -0,0 +1,134 @@ +From 25616e1a958bc1503cc24d6845a6e80ffc287727 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 8 May 2025 16:16:25 -0500 +Subject: [PATCH] Set message size limit in SoupServer rather than + SoupWebsocketConnection + +We're not sure about the compatibility implications of having a default +size limit for clients. + +Also not sure whether the server limit is actually set appropriately, +but there is probably very little server usage of +SoupWebsocketConnection in the wild, so it's not so likely to break +things. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + libsoup/server/soup-server.c | 24 +++++++++++++---- + libsoup/websocket/soup-websocket-connection.c | 26 +++++++++++++------ + 2 files changed, 37 insertions(+), 13 deletions(-) + +diff --git a/libsoup/server/soup-server.c b/libsoup/server/soup-server.c +index 6b486f5..c779f7d 100644 +--- a/libsoup/server/soup-server.c ++++ b/libsoup/server/soup-server.c +@@ -186,6 +186,16 @@ static GParamSpec *properties[LAST_PROPERTY] = { NULL, }; + + G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT) + ++/* SoupWebsocketConnection by default limits only maximum packet size. But a ++ * message may consist of multiple packets, so SoupServer additionally restricts ++ * total message size to mitigate denial of service attacks on the server. ++ * SoupWebsocketConnection does not do this by default because I don't know ++ * whether that would or would not cause compatibility problems for websites. ++ * ++ * This size is in bytes and it is arbitrary. ++ */ ++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 ++ + static void request_finished (SoupServerMessage *msg, + SoupMessageIOCompletion completion, + SoupServer *server); +@@ -937,11 +947,15 @@ complete_websocket_upgrade (SoupServer *server, + + g_object_ref (msg); + stream = soup_server_message_steal_connection (msg); +- conn = soup_websocket_connection_new (stream, uri, +- SOUP_WEBSOCKET_CONNECTION_SERVER, +- soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN), +- soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL), +- handler->websocket_extensions); ++ conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION, ++ "io-stream", stream, ++ "uri", uri, ++ "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER, ++ "origin", soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN), ++ "protocol", soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL), ++ "extensions", handler->websocket_extensions, ++ "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ NULL)); + handler->websocket_extensions = NULL; + g_object_unref (stream); + +diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c +index 26476df..cbb1b72 100644 +--- a/libsoup/websocket/soup-websocket-connection.c ++++ b/libsoup/websocket/soup-websocket-connection.c +@@ -149,7 +149,6 @@ typedef struct { + } SoupWebsocketConnectionPrivate; + + #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024 +-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024 + #define READ_BUFFER_SIZE 1024 + #define MASK_LENGTH 4 + +@@ -1612,9 +1611,10 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-incoming-payload-size: + * +- * The maximum payload size for incoming packets. +- * +- * The protocol expects or 0 to not limit it. ++ * The maximum payload size for incoming packets, or 0 to not limit it. ++ * ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-total-message-size]. + */ + properties[PROP_MAX_INCOMING_PAYLOAD_SIZE] = + g_param_spec_uint64 ("max-incoming-payload-size", +@@ -1662,9 +1662,19 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + /** + * SoupWebsocketConnection:max-total-message-size: + * +- * The total message size for incoming packets. ++ * The maximum size for incoming messages. ++ * ++ * Set to a value to limit the total message size, or 0 to not ++ * limit it. ++ * ++ * [method@Server.add_websocket_handler] will set this to a nonzero ++ * default value to mitigate denial of service attacks. Clients must ++ * choose their own default if they need to mitigate denial of service ++ * attacks. You also need to set your own default if creating your own ++ * server SoupWebsocketConnection without using SoupServer. + * +- * The protocol expects or 0 to not limit it. ++ * Each message may consist of multiple packets, so also refer to ++ * [property@WebSocketConnection:max-incoming-payload-size]. + * + * Since: 3.8 + */ +@@ -1674,7 +1684,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass) + "Max total message size ", + 0, + G_MAXUINT64, +- MAX_TOTAL_MESSAGE_SIZE_DEFAULT, ++ 0, + G_PARAM_READWRITE | + G_PARAM_CONSTRUCT | + G_PARAM_STATIC_STRINGS); +@@ -2164,7 +2174,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s + { + SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self); + +- g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT); ++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0); + + return priv->max_total_message_size; + } +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch new file mode 100644 index 0000000000..6f391e98e2 --- /dev/null +++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch @@ -0,0 +1,292 @@ +From 3c87790a4ba141125e6ba165c478f0440e8e693e Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Fri, 16 May 2025 16:55:40 -0500 +Subject: [PATCH 4/4] Add tests for max-incoming-packet-size and + max-total-message-size + +An even better test would verify that it's possible to send big messages +containing small packets, but libsoup doesn't offer control over packet +size, and I don't want to take the time to learn how WebSockets work to +figure out how to do that manually. Instead, I just check that both +limits work, for both client and server. + +I didn't add deflate variants of these tests because I doubt that would +add valuable coverage. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4d00b45b7eebdcfa0706b58e34c40b8a0a16015b] +CVE: CVE-2025-32049 + +Signed-off-by: Changqing Li +--- + tests/websocket-test.c | 214 +++++++++++++++++++++++++++++++++++++---- + 1 file changed, 197 insertions(+), 17 deletions(-) + +diff --git a/tests/websocket-test.c b/tests/websocket-test.c +index 827b041..ec1324c 100644 +--- a/tests/websocket-test.c ++++ b/tests/websocket-test.c +@@ -543,16 +543,9 @@ test_send_big_packets (Test *test, + { + GBytes *sent = NULL; + GBytes *received = NULL; ++ gulong signal_id; + +- g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received); +- +- sent = g_bytes_new_take (g_strnfill (400, '!'), 400); +- soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); +- WAIT_UNTIL (received != NULL); +- g_assert (g_bytes_equal (sent, received)); +- g_bytes_unref (sent); +- g_bytes_unref (received); +- received = NULL; ++ signal_id = g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received); + + sent = g_bytes_new_take (g_strnfill (100 * 1000, '?'), 100 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); +@@ -563,23 +556,174 @@ test_send_big_packets (Test *test, + received = NULL; + + soup_websocket_connection_set_max_incoming_payload_size (test->client, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->client) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 1000 * 1000 + 1); + soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 1000 * 1000 + 1); + + soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 1000 * 1000 + 1); + soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1); +- g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1)); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 1000 * 1000 + 1); + + sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); + soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); + WAIT_UNTIL (received != NULL); + g_assert (g_bytes_equal (sent, received)); ++ g_bytes_unref (received); ++ received = NULL; ++ ++ /* Reverse the test and send the big message to the server. */ ++ g_signal_handler_disconnect (test->client, signal_id); ++ g_signal_connect (test->server, "message", G_CALLBACK (on_text_message), &received); ++ ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ WAIT_UNTIL (received != NULL); ++ g_assert_true (g_bytes_equal (sent, received)); + g_bytes_unref (sent); + g_bytes_unref (received); + } + ++static void ++test_send_big_packets_direct (Test *test, ++ gconstpointer data) ++{ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0); ++ ++ test_send_big_packets (test, data); ++} ++ ++static void ++test_send_big_packets_soup (Test *test, ++ gconstpointer data) ++{ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ /* Max total message size defaults to 0 (unlimited), but SoupServer applies its own limit by default. */ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024); ++ ++ test_send_big_packets (test, data); ++} ++ ++static void ++test_send_exceeding_client_max_payload_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024); ++ ++ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 0); ++ ++ /* The message to the client is dropped due to the client's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_server_max_payload_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_incoming_payload_size (test->client, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 0); ++ ++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024); ++ ++ /* The message to the server is dropped due to the server's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_client_max_message_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_total_message_size (test->client, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 128 * 1024); ++ ++ soup_websocket_connection_set_max_total_message_size (test->server, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0); ++ ++ /* The message to the client is dropped due to the client's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++static void ++test_send_exceeding_server_max_message_size (Test *test, ++ gconstpointer data) ++{ ++ GBytes *sent = NULL; ++ GBytes *received = NULL; ++ gboolean close_event = FALSE; ++ GError *error = NULL; ++ ++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error); ++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event); ++ ++ soup_websocket_connection_set_max_total_message_size (test->client, 0); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0); ++ ++ /* Set the server message total message size manually, because its ++ * default is different for direct connection vs. soup connection. ++ */ ++ soup_websocket_connection_set_max_total_message_size (test->server, 128 * 1024); ++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024); ++ ++ /* The message to the server is dropped due to the server's limit. */ ++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000); ++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL)); ++ g_bytes_unref (sent); ++ WAIT_UNTIL (close_event); ++ g_assert_null (received); ++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED); ++ g_assert_no_error (test->client_error); ++} ++ ++ + static void + test_send_empty_packets (Test *test, + gconstpointer data) +@@ -2064,11 +2208,47 @@ main (int argc, + + g_test_add ("/websocket/direct/send-big-packets", Test, NULL, + setup_direct_connection, +- test_send_big_packets, ++ test_send_big_packets_direct, + teardown_direct_connection); + g_test_add ("/websocket/soup/send-big-packets", Test, NULL, + setup_soup_connection, +- test_send_big_packets, ++ test_send_big_packets_soup, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-client-max-payload-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_client_max_payload_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-client-max-payload-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_client_max_payload_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-server-max-payload-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_server_max_payload_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-server-max-payload-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_server_max_payload_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-client-max-message-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_client_max_message_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-client-max-message-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_client_max_message_size, ++ teardown_soup_connection); ++ ++ g_test_add ("/websocket/direct/send-exceeding-server-max-message-size", Test, NULL, ++ setup_direct_connection, ++ test_send_exceeding_server_max_message_size, ++ teardown_direct_connection); ++ g_test_add ("/websocket/soup/send-exceeding-server-max-message-size", Test, NULL, ++ setup_soup_connection, ++ test_send_exceeding_server_max_message_size, + teardown_soup_connection); + + g_test_add ("/websocket/direct/send-empty-packets", Test, NULL, +@@ -2217,11 +2397,11 @@ main (int argc, + + g_test_add ("/websocket/direct/deflate-send-big-packets", Test, NULL, + setup_direct_connection_with_extensions, +- test_send_big_packets, ++ test_send_big_packets_direct, + teardown_direct_connection); + g_test_add ("/websocket/soup/deflate-send-big-packets", Test, NULL, + setup_soup_connection_with_extensions, +- test_send_big_packets, ++ test_send_big_packets_soup, + teardown_soup_connection); + + g_test_add ("/websocket/direct/deflate-send-empty-packets", Test, NULL, +-- +2.34.1 + diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb index 6be31806f1..fc4a286dcf 100644 --- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb +++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb @@ -47,6 +47,10 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ file://CVE-2025-4945.patch \ file://CVE-2025-12105.patch \ file://CVE-2025-14523.patch \ + file://CVE-2025-32049-1.patch \ + file://CVE-2025-32049-2.patch \ + file://CVE-2025-32049-3.patch \ + file://CVE-2025-32049-4.patch \ " SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"