From: Changqing Li <changqing.li@windriver.com>
To: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Cc: Steve Sakoman <steve@sakoman.com>,
Gyorgy Sarvari <skandigraun@gmail.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689
Date: Mon, 8 Dec 2025 14:58:45 +0800 [thread overview]
Message-ID: <7f00631d-a0f6-4e7a-9c8e-50e3639dbc9d@windriver.com> (raw)
In-Reply-To: <CA+s=J=z-d13udWyvARTW9hgMFpzDkNQi=CS7dPhcW2qMaQoLFQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2701 bytes --]
On 12/5/25 11:41, Anuj Mittal wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Fri, Dec 5, 2025 at 8:22 AM Changqing Li via lists.openembedded.org
> <changqing.li=windriver.com@lists.openembedded.org> wrote:
>>
>> On 12/5/25 01:59, Steve Sakoman wrote:
>>
>> CAUTION: This email comes from a non Wind River email account!
>> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>> On Wed, Dec 3, 2025 at 12:25 AM Gyorgy Sarvari<skandigraun@gmail.com> wrote:
>>
>> This is quite a big change in the middle of an LTS release... not that I
>> have a better solution. But maybe a warning in the docs would be
>> appropriate about this removed feature and its reason (not sure who
>> takes care of these).
>>
>> You are quite correct, this is a large change and deserves further
>> discussion since it is removing a (admittedly experimental) feature.
>>
>> I will remove this from this series pending further discussion on list.
>>
>> Hi,
>>
>> This vulnerability exists in libmicrohttpd_ws.so, which is generated when building with the --enable-experimental option, rather than in widely used libmicrohttpd.so.
>>
>> We don't enable this option by default, also we don't provide PACKAGECONFIG for it.
>>
>> How about we still keep the patch for fixing CVE-2025-59777, CVE-2025-62689, and add the following warning in libmicrohttpd_1.0.2.bb
>>
>> +python do_warn_experimental() {
>> + if '--enable-experimental' in d.getVar('EXTRA_OECONF') and '0001-Remove-broken-experimental-code.patch' in d.getVar('SRC_URI'):
>> + bb.warn("This option is removed for CVE-2025-59777, CVE-2025-62689, if you insist to use it, please remove patch 0001-Remove-broken-experimental-code.patch")
>> +}
>> +addtask warn_experimental before do_configure
>> +
>>
>> if the user enable '--enable-experimental' , warning is it removed. if user insist to use it, they can remove patch 0001-Remove-broken-experimental-code.patch locally, then
>>
>> warning will disappear.
> I think it should be the other way around. If we don't enable the
> option and don't have a tunable PACKAGECONFIG for it, why complicate
> and patch? If someone did enable it knowingly, they should fix it in
> their append or recipe.
if we don't patch it, should we add function like do_warn_experimental
to remind user about the CVE?
it is possible that user enable experimental, but they don't know the
existence of CVE-2025-59777, CVE-2025-62689.
Thanks
//Changqing
> Thanks,
>
> Anuj
[-- Attachment #2: Type: text/html, Size: 3839 bytes --]
prev parent reply other threads:[~2025-12-08 6:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 22:19 [OE-core][scarthgap 0/8] Patch review Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 2/8] gnutls: patch CVE-2025-9820 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 3/8] python3: fix CVE-2025-6075 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 4/8] libpng: patch CVE-2025-64505 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 5/8] libpng: patch CVE-2025-64506 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 6/8] libpng: patch CVE-2025-64720 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 7/8] libpng: patch CVE-2025-65018 Steve Sakoman
2025-12-02 22:19 ` [OE-core][scarthgap 8/8] curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected Steve Sakoman
[not found] ` <ce604b9bf682e404baa15800fcdbc01abd6a66e1.1764713862.git.steve@sakoman.com>
[not found] ` <b0caac3f-5a60-48e4-bd89-15fb3654a91e@gmail.com>
2025-12-04 17:59 ` [OE-core][scarthgap 1/8] libmicrohttpd: fix CVE-2025-59777, CVE-2025-62689 Steve Sakoman
2025-12-05 2:52 ` Changqing Li
2025-12-05 3:41 ` Anuj Mittal
2025-12-08 6:58 ` Changqing Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7f00631d-a0f6-4e7a-9c8e-50e3639dbc9d@windriver.com \
--to=changqing.li@windriver.com \
--cc=anuj.mittal@oss.qualcomm.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=skandigraun@gmail.com \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox