From: tgaige.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
Cc: hsimeliere.opensource@witekio.com,
"Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>
Subject: [scarthgap][PATCH v2 1/3] dhcpcd: patch CVE-2026-56113
Date: Wed, 1 Jul 2026 17:04:31 +0200 [thread overview]
Message-ID: <20260701150433.3889478-2-tgaige.opensource@witekio.com> (raw)
In-Reply-To: <20260701150433.3889478-1-tgaige.opensource@witekio.com>
From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25
[2] https://security-tracker.debian.org/tracker/CVE-2026-56113
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
.../dhcpcd/dhcpcd_10.0.6.bb | 1 +
.../dhcpcd/files/CVE-2026-56113.patch | 92 +++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
index 6bde9b1f51..65dcbe52ec 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd.service \
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+ file://CVE-2026-56113.patch \
"
SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
new file mode 100644
index 0000000000..6727bc1a69
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
@@ -0,0 +1,92 @@
+From 9f953ada0df6e7a568f006f3ae0ff10a77a95924 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:17:10 +0100
+Subject: [PATCH] DHCPv6: When deprecating addresses, restart on prefix
+ deletions
+
+As that might invalidate the next address to iterate on.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 5733d3c59a5651f64357ac11c98b4f39895c8d25)
+
+CVE: CVE-2026-56113
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index bdc3664e..5154bf41 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2480,12 +2480,13 @@ dhcp6_findia(struct interface *ifp, struct dhcp6_message *m, size_t l,
+ }
+
+ #ifndef SMALL
+-static void
++static bool
+ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ {
+ struct ipv6_addr *da, *dan, *dda;
+ struct timespec now;
+ struct dhcp6_state *state;
++ bool freed = false;
+
+ timespecclear(&now);
+ TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {
+@@ -2511,11 +2512,14 @@ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ if (IN6_ARE_ADDR_EQUAL(&dda->addr, &da->addr))
+ break;
+ }
+- if (dda != NULL) {
++ if (dda != ia && dda != NULL) {
+ TAILQ_REMOVE(&state->addrs, dda, next);
+ ipv6_freeaddr(dda);
++ freed = true;
+ }
+ }
++
++ return freed;
+ }
+ #endif
+
+@@ -2523,7 +2527,11 @@ static void
+ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ {
+ struct ipv6_addr *ia, *ian;
++#ifndef SMALL
++ bool again;
++#endif
+
++again:
+ TAILQ_FOREACH_SAFE(ia, addrs, next, ian) {
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ;
+@@ -2545,7 +2553,9 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ /* If we delegated from this prefix, deprecate or remove
+ * the delegations. */
+ if (ia->flags & IPV6_AF_DELEGATEDPFX)
+- dhcp6_deprecatedele(ia);
++ again = dhcp6_deprecatedele(ia);
++ else
++ again = false;
+ #endif
+
+ if (ia->flags & IPV6_AF_REQUEST) {
+@@ -2558,6 +2568,11 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ipv6_deleteaddr(ia);
+ ipv6_freeaddr(ia);
++#ifndef SMALL
++ /* Deletion may invalidate the next pointer so restart */
++ if (again)
++ goto again;
++#endif
+ }
+ }
+
+--
+2.43.0
+
--
2.43.0
next prev parent reply other threads:[~2026-07-01 15:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <239971>
2026-07-01 15:04 ` [scarthgap][PATCH v2 0/3] dhcpcd: patch CVE-2026-56113 tgaige.opensource
2026-07-01 15:04 ` tgaige.opensource [this message]
2026-07-01 15:04 ` [scarthgap][PATCH v2 2/3] dhcpcd: patch CVE-2026-56114 tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 3/3] dhcpcd: patch CVE-2026-56117 tgaige.opensource
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701150433.3889478-2-tgaige.opensource@witekio.com \
--to=tgaige.opensource@witekio.com \
--cc=hsimeliere.opensource@witekio.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox