Re: [OE-core][scarthgap 03/21] nfs-utils: fix CVE-2025-12801

[Paul Barker <paul@pbarker.dev>]

[-- Attachment #1: Type: text/plain, Size: 4773 bytes --]

On Fri, 2026-06-12 at 16:25 +0200, Jérémy Rosen via
lists.openembedded.org wrote:
> From: Sudhir Dumbhare <sudumbha@cisco.com>

+Cc Sudhir

> 
> - This patch applies the upstream fix [5] as referenced in [7].
> - To successfully apply the fixed commit, apply the dependent commits [2] to [4]
>   which are included in v2.8.6, as referenced in [7].
> - Additionally, include dependent commit [1] from v2.8.3, as referenced in [8]
>   under the [2.5.4-38.2] description, along with compilation fix commit [6]
>   from v2.7.1
> - Reference:
>   [1] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790
>   [2] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58
>   [3] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe
>   [4] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92
>   [5] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899
>   [6] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a
>   [7] https://security-tracker.debian.org/tracker/CVE-2025-12801
>   [8] https://linux.oracle.com/errata/ELSA-2026-3940.html
> 
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>

[snip]

> diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
> new file mode 100644
> index 0000000000..223249a9d6
> --- /dev/null
> +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
> @@ -0,0 +1,71 @@
> +From 647c9cb3ac3cbdf9ffd9e29f7d5dd04da84afdbc Mon Sep 17 00:00:00 2001
> +From: Christopher Bii <christopherbii@hyub.org>
> +Date: Wed, 15 Jan 2025 12:10:48 -0500
> +Subject: [PATCH] NFS export symlink vulnerability fix
> +
> +Replaced dangerous use of realpath within support/nfs/export.c with
> +nfsd_realpath variant that is executed within the chrooted thread
> +rather than main thread.
> +
> +Implemented nfsd_path.h methods to work securely within chrooted
> +thread using nfsd_run_task() help
> +
> +CVE: CVE-2025-12801
> +Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a]
> +
> +Backport Changes:
> +- In support/misc/nfsd_path.c file, only nfsd_run_task() and the
> +  struct nfsd_task_t have been included to resolve a compilation
> +  issue. All other non-essential changes were excluded.
> +- The non-required file support/export/cache.c and support/nfs/exports.c
> +  has been excluded.
> +
> +Signed-off-by: Christopher Bii <christopherbii@hyub.org>
> +Signed-off-by: Steve Dickson <steved@redhat.com>
> +(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a)
> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> +---
> + support/include/nfsd_path.h |  1 +
> + support/misc/nfsd_path.c    | 14 +++++++++++++-
> + 2 files changed, 14 insertions(+), 1 deletion(-)
> +
> +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h
> +index aa1e1dd0..4f5fc44e 100644
> +--- a/support/include/nfsd_path.h
> ++++ b/support/include/nfsd_path.h
> +@@ -8,6 +8,7 @@
> + 
> + struct file_handle;
> + struct statfs;
> ++struct nfsd_task_t;
> + 
> + void 		nfsd_path_init(void);
> + 
> +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c
> +index c3dea4f0..fa908f7c 100644
> +--- a/support/misc/nfsd_path.c
> ++++ b/support/misc/nfsd_path.c
> +@@ -19,7 +19,19 @@
> + #include "nfsd_path.h"
> + #include "workqueue.h"
> + 
> +-static struct xthread_workqueue *nfsd_wq;
> ++static struct xthread_workqueue *nfsd_wq = NULL;
> ++
> ++struct nfsd_task_t {
> ++        int             ret;
> ++        void*           data;
> ++};
> ++/* Function used to offload tasks that must be ran within the correct
> ++ * chroot environment.
> ++ */
> ++static void
> ++nfsd_run_task(void (*func)(void*), void* data){
> ++        nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data);
> ++};
> + 
> + static int
> + nfsd_path_isslash(const char *path)
> +-- 
> +2.35.6
> +

Reading the commit message, and looking at the diff in the original
commit [1], I think we should apply the complete patch here. And it
seems that's what RedHat have done when backporting this fix for RHEL
9 [2].

Sudhir, what's the reason for trimming the patch down?

[1]: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a
[2]: https://gitlab.com/redhat/centos-stream/rpms/nfs-utils/-/commit/6f332316f7aa605d67f6b60db0be68f63bf28f9c

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]