* [scarthgap][PATCH v2 1/3] dhcpcd: patch CVE-2026-56113
2026-07-01 15:04 ` [scarthgap][PATCH v2 0/3] dhcpcd: patch CVE-2026-56113 tgaige.opensource
@ 2026-07-01 15:04 ` tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 2/3] dhcpcd: patch CVE-2026-56114 tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 3/3] dhcpcd: patch CVE-2026-56117 tgaige.opensource
2 siblings, 0 replies; 4+ messages in thread
From: tgaige.opensource @ 2026-07-01 15:04 UTC (permalink / raw)
To: openembedded-core; +Cc: hsimeliere.opensource, Theo Gaige (Schneider Electric)
From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25
[2] https://security-tracker.debian.org/tracker/CVE-2026-56113
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
.../dhcpcd/dhcpcd_10.0.6.bb | 1 +
.../dhcpcd/files/CVE-2026-56113.patch | 92 +++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
index 6bde9b1f51..65dcbe52ec 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd.service \
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+ file://CVE-2026-56113.patch \
"
SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
new file mode 100644
index 0000000000..6727bc1a69
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56113.patch
@@ -0,0 +1,92 @@
+From 9f953ada0df6e7a568f006f3ae0ff10a77a95924 Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:17:10 +0100
+Subject: [PATCH] DHCPv6: When deprecating addresses, restart on prefix
+ deletions
+
+As that might invalidate the next address to iterate on.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 5733d3c59a5651f64357ac11c98b4f39895c8d25)
+
+CVE: CVE-2026-56113
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index bdc3664e..5154bf41 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -2480,12 +2480,13 @@ dhcp6_findia(struct interface *ifp, struct dhcp6_message *m, size_t l,
+ }
+
+ #ifndef SMALL
+-static void
++static bool
+ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ {
+ struct ipv6_addr *da, *dan, *dda;
+ struct timespec now;
+ struct dhcp6_state *state;
++ bool freed = false;
+
+ timespecclear(&now);
+ TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {
+@@ -2511,11 +2512,14 @@ dhcp6_deprecatedele(struct ipv6_addr *ia)
+ if (IN6_ARE_ADDR_EQUAL(&dda->addr, &da->addr))
+ break;
+ }
+- if (dda != NULL) {
++ if (dda != ia && dda != NULL) {
+ TAILQ_REMOVE(&state->addrs, dda, next);
+ ipv6_freeaddr(dda);
++ freed = true;
+ }
+ }
++
++ return freed;
+ }
+ #endif
+
+@@ -2523,7 +2527,11 @@ static void
+ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ {
+ struct ipv6_addr *ia, *ian;
++#ifndef SMALL
++ bool again;
++#endif
+
++again:
+ TAILQ_FOREACH_SAFE(ia, addrs, next, ian) {
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ;
+@@ -2545,7 +2553,9 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ /* If we delegated from this prefix, deprecate or remove
+ * the delegations. */
+ if (ia->flags & IPV6_AF_DELEGATEDPFX)
+- dhcp6_deprecatedele(ia);
++ again = dhcp6_deprecatedele(ia);
++ else
++ again = false;
+ #endif
+
+ if (ia->flags & IPV6_AF_REQUEST) {
+@@ -2558,6 +2568,11 @@ dhcp6_deprecateaddrs(struct ipv6_addrhead *addrs)
+ if (ia->flags & IPV6_AF_EXTENDED)
+ ipv6_deleteaddr(ia);
+ ipv6_freeaddr(ia);
++#ifndef SMALL
++ /* Deletion may invalidate the next pointer so restart */
++ if (again)
++ goto again;
++#endif
+ }
+ }
+
+--
+2.43.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [scarthgap][PATCH v2 2/3] dhcpcd: patch CVE-2026-56114
2026-07-01 15:04 ` [scarthgap][PATCH v2 0/3] dhcpcd: patch CVE-2026-56113 tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 1/3] " tgaige.opensource
@ 2026-07-01 15:04 ` tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 3/3] dhcpcd: patch CVE-2026-56117 tgaige.opensource
2 siblings, 0 replies; 4+ messages in thread
From: tgaige.opensource @ 2026-07-01 15:04 UTC (permalink / raw)
To: openembedded-core; +Cc: hsimeliere.opensource, Theo Gaige (Schneider Electric)
From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029
[2] https://security-tracker.debian.org/tracker/CVE-2026-56114
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
.../dhcpcd/dhcpcd_10.0.6.bb | 1 +
.../dhcpcd/files/CVE-2026-56114.patch | 34 +++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
index 65dcbe52ec..bc87b91503 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://dhcpcd@.service \
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
file://CVE-2026-56113.patch \
+ file://CVE-2026-56114.patch \
"
SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
new file mode 100644
index 0000000000..748dc1ee8c
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56114.patch
@@ -0,0 +1,34 @@
+From fd86ded940524f60174582faa96f583c168589ef Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Tue, 23 Jun 2026 02:06:55 +0100
+Subject: [PATCH] DHCPv6: Prefix exclude option can be 17 octets (#671)
+
+Well that's a simple off by one error
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 2f00c7bfc408b6582d331932dfa47829c4819029)
+
+CVE: CVE-2026-56114
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/dhcp6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 5154bf41..1eac9f23 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -1006,7 +1006,7 @@ dhcp6_makemessage(struct interface *ifp)
+
+ /* RFC6603 Section 4.2 */
+ if (ap->prefix_exclude_len) {
+- uint8_t exb[16], *ep, u8;
++ uint8_t exb[17], *ep, u8;
+ const uint8_t *pp;
+
+ n = (size_t)((ap->prefix_exclude_len -
+--
+2.43.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* [scarthgap][PATCH v2 3/3] dhcpcd: patch CVE-2026-56117
2026-07-01 15:04 ` [scarthgap][PATCH v2 0/3] dhcpcd: patch CVE-2026-56113 tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 1/3] " tgaige.opensource
2026-07-01 15:04 ` [scarthgap][PATCH v2 2/3] dhcpcd: patch CVE-2026-56114 tgaige.opensource
@ 2026-07-01 15:04 ` tgaige.opensource
2 siblings, 0 replies; 4+ messages in thread
From: tgaige.opensource @ 2026-07-01 15:04 UTC (permalink / raw)
To: openembedded-core; +Cc: hsimeliere.opensource, Theo Gaige (Schneider Electric)
From: "Theo Gaige (Schneider Electric)" <tgaige.opensource@witekio.com>
Backport patch [1] mentionned in [2]
[1] https://github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34
[2] https://security-tracker.debian.org/tracker/CVE-2026-56117
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
.../dhcpcd/dhcpcd_10.0.6.bb | 1 +
.../dhcpcd/files/CVE-2026-56117.patch | 167 ++++++++++++++++++
2 files changed, 168 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
index bc87b91503..e6854e1c7f 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
file://CVE-2026-56113.patch \
file://CVE-2026-56114.patch \
+ file://CVE-2026-56117.patch \
"
SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
diff --git a/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
new file mode 100644
index 0000000000..4f79453aed
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/CVE-2026-56117.patch
@@ -0,0 +1,167 @@
+From 52e0746deeace02b0ea039441d6cdc58f026018d Mon Sep 17 00:00:00 2001
+From: Roy Marples <roy@marples.name>
+Date: Mon, 22 Jun 2026 23:41:53 +0100
+Subject: [PATCH] control: Avoid hangup in the recvdata path
+
+Instead return an error and bubble it up where it can be
+hangup / freed more cleanly.
+
+Reported-by: CuB3y0nd <root@cubeyond.net>
+
+(cherry picked from commit 78ea09ed1633a583dbcde6e7bab9df4639ec8a34)
+
+CVE: CVE-2026-56117
+Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/control.c | 47 ++++++++++++++++++++++++-------------------
+ src/control.h | 2 +-
+ src/privsep-control.c | 7 ++++++-
+ 3 files changed, 33 insertions(+), 23 deletions(-)
+
+diff --git a/src/control.c b/src/control.c
+index 17fd13aa..20480f69 100644
+--- a/src/control.c
++++ b/src/control.c
+@@ -115,10 +115,8 @@ control_handle_read(struct fd_list *fd)
+ bytes = read(fd->fd, buffer, sizeof(buffer) - 1);
+ if (bytes == -1)
+ logerr(__func__);
+- if (bytes == -1 || bytes == 0) {
+- control_hangup(fd);
+- return -1;
+- }
++ if (bytes == -1 || bytes == 0)
++ return (int)bytes;
+
+ #ifdef PRIVSEP
+ if (IN_PRIVSEP(fd->ctx)) {
+@@ -134,15 +132,13 @@ control_handle_read(struct fd_list *fd)
+ if (err == 1 &&
+ ps_ctl_sendargs(fd, buffer, (size_t)bytes) == -1) {
+ logerr(__func__);
+- control_free(fd);
+ return -1;
+ }
+- return 0;
++ return 1;
+ }
+ #endif
+
+- control_recvdata(fd, buffer, (size_t)bytes);
+- return 0;
++ return control_recvdata(fd, buffer, (size_t)bytes);
+ }
+
+ static int
+@@ -205,23 +201,31 @@ static void
+ control_handle_data(void *arg, unsigned short events)
+ {
+ struct fd_list *fd = arg;
++ int err;
+
+ if (!(events & (ELE_READ | ELE_WRITE | ELE_HANGUP)))
+ logerrx("%s: unexpected event 0x%04x", __func__, events);
+
+ if (events & ELE_WRITE && !(events & ELE_HANGUP)) {
+- if (control_handle_write(fd) == -1)
+- return;
++ err = control_handle_write(fd);
++ if (err == -1)
++ goto hangup;
+ }
+ if (events & ELE_READ) {
+- if (control_handle_read(fd) == -1)
+- return;
++ err = control_handle_read(fd);
++ if (err == -1 || err == 0)
++ goto hangup;
+ }
+ if (events & ELE_HANGUP)
+- control_hangup(fd);
++ goto hangup;
++
++ return;
++
++hangup:
++ control_hangup(fd);
+ }
+
+-void
++int
+ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ {
+ char *p = data, *e;
+@@ -243,12 +247,13 @@ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ if (e == NULL) {
+ errno = EINVAL;
+ logerrx("%s: no terminator", __func__);
+- return;
++ return -1;
+ }
+- if ((size_t)argc >= sizeof(argvp) / sizeof(argvp[0])) {
++ if ((size_t)argc + 1 >=
++ sizeof(argvp) / sizeof(argvp[0])) {
+ errno = ENOBUFS;
+ logerrx("%s: no arg buffer", __func__);
+- return;
++ return -1;
+ }
+ *ap++ = p;
+ argc++;
+@@ -268,12 +273,12 @@ control_recvdata(struct fd_list *fd, char *data, size_t len)
+ *ap = NULL;
+ if (dhcpcd_handleargs(fd->ctx, fd, argc, argvp) == -1) {
+ logerr(__func__);
+- if (errno != EINTR && errno != EAGAIN) {
+- control_free(fd);
+- return;
+- }
++ if (errno != EINTR && errno != EAGAIN)
++ return -1;
+ }
+ }
++
++ return 1;
+ }
+
+ struct fd_list *
+diff --git a/src/control.h b/src/control.h
+index f5e2bc7e..c5511dd7 100644
+--- a/src/control.h
++++ b/src/control.h
+@@ -75,5 +75,5 @@ struct fd_list *control_new(struct dhcpcd_ctx *, int, unsigned int);
+ void control_free(struct fd_list *);
+ void control_delete(struct fd_list *);
+ int control_queue(struct fd_list *, void *, size_t);
+-void control_recvdata(struct fd_list *fd, char *, size_t);
++int control_recvdata(struct fd_list *fd, char *, size_t);
+ #endif
+diff --git a/src/privsep-control.c b/src/privsep-control.c
+index 40bfb164..954126c0 100644
+--- a/src/privsep-control.c
++++ b/src/privsep-control.c
+@@ -108,6 +108,7 @@ ps_ctl_dispatch(void *arg, struct ps_msghdr *psm, struct msghdr *msg)
+ struct iovec *iov = msg->msg_iov;
+ struct fd_list *fd;
+ unsigned int fd_flags = FD_SENDLEN;
++ int err;
+
+ switch (psm->ps_flags) {
+ case PS_CTL_PRIV:
+@@ -131,7 +132,11 @@ ps_ctl_dispatch(void *arg, struct ps_msghdr *psm, struct msghdr *msg)
+ if (fd == NULL)
+ return -1;
+ ctx->ps_control_client = fd;
+- control_recvdata(fd, iov->iov_base, iov->iov_len);
++ err = control_recvdata(fd, iov->iov_base, iov->iov_len);
++ if (err == -1 || err == 0) {
++ control_free(fd);
++ ctx->ps_control_client = NULL;
++ }
+ break;
+ case PS_CTL_EOF:
+ ctx->ps_control_client = NULL;
+--
+2.43.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread