* [OE-core][kirkstone 01/12] openssh: Fix CVE-2025-32728
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 02/12] iputils: Security fix for CVE-2025-47268 Steve Sakoman
` (10 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssh/openssh/CVE-2025-32728.patch | 44 +++++++++++++++++++
.../openssh/openssh_8.9p1.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
new file mode 100644
index 0000000000..d992f78ed7
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
@@ -0,0 +1,44 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
+CVE: CVE-2025-32728
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index e67d24d..625e97f 100644
+--- a/session.c
++++ b/session.c
+@@ -2182,7 +2182,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ if ((r = sshpkt_get_end(ssh)) != 0)
+ sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ if (!auth_opts->permit_agent_forwarding_flag ||
+- !options.allow_agent_forwarding) {
++ !options.allow_agent_forwarding ||
++ options.disable_forwarding) {
+ debug_f("agent forwarding disabled");
+ return 0;
+ }
+@@ -2568,7 +2569,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ return 0;
+ }
+- if (!options.x11_forwarding) {
++ if (!options.x11_forwarding || options.disable_forwarding) {
+ debug("X11 forwarding disabled in server configuration file.");
+ return 0;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 54b4d238eb..345051c8dc 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -38,6 +38,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2023-51385.patch \
file://CVE-2024-6387.patch \
file://CVE-2025-26465.patch \
+ file://CVE-2025-32728.patch \
"
SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 02/12] iputils: Security fix for CVE-2025-47268
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 01/12] openssh: Fix CVE-2025-32728 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 03/12] connman :fix CVE-2025-32366 Steve Sakoman
` (9 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Yi Zhao <yi.zhao@windriver.com>
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../iputils/iputils/CVE-2025-47268.patch | 143 ++++++++++++++++++
.../iputils/iputils_20211215.bb | 1 +
2 files changed, 144 insertions(+)
create mode 100644 meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch
diff --git a/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch b/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch
new file mode 100644
index 0000000000..dd31b79031
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch
@@ -0,0 +1,143 @@
+From 070cfacd7348386173231fb16fad4983d4e6ae40 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Mon, 5 May 2025 23:55:57 +0200
+Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation
+
+Crafted ICMP Echo Reply packet can cause signed integer overflow in
+
+1) triptime calculation:
+triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+
+2) tsum2 increment which uses triptime
+rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+
+3) final tmvar:
+tmvar = (rts->tsum2 / total) - (tmavg * tmavg)
+
+ $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+ $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
+ $ meson setup .. -Db_sanitize=address,undefined
+ $ ninja
+ $ ./ping/ping -c2 127.0.0.1
+
+ PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+ 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
+ ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int'
+ ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int'
+ ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int'
+ 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+ ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures
+ ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures
+ 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+ ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int'
+ 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms
+
+ --- 127.0.0.1 ping statistics ---
+ 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
+ ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int'
+ rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms
+
+To fix the overflow check allowed ranges of struct timeval members:
+* tv_sec <0, LONG_MAX/1000000>
+* tv_usec <0, 999999>
+
+Fix includes 2 new error messages (needs translation).
+Also existing message "time of day goes back ..." needed to be modified
+as it now prints tv->tv_sec which is a second (needs translation update).
+
+After fix:
+
+ $ ./ping/ping -c2 127.0.0.1
+ 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms
+ ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us
+ ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+ ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us
+ ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+ 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+ ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us
+ ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures
+ 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+ 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms
+
+ --- 127.0.0.1 ping statistics ---
+ 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms
+ rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms
+
+Fixes: https://github.com/iputils/iputils/issues/584
+Fixes: CVE-2025-472
+Link: https://github.com/Zephkek/ping-rtt-overflow/
+Co-developed-by: Cyril Hrubis <chrubis@suse.cz>
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Noah Meyerhans <noahm@debian.org>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+CVE: CVE-2025-47268
+
+Upstream-Status: Backport
+[https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ iputils_common.h | 3 +++
+ ping/ping_common.c | 22 +++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 49e790d..829a749 100644
+--- a/iputils_common.h
++++ b/iputils_common.h
+@@ -10,6 +10,9 @@
+ !!__builtin_types_compatible_p(__typeof__(arr), \
+ __typeof__(&arr[0]))])) * 0)
+
++/* 1000001 = 1000000 tv_sec + 1 tv_usec */
++#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
++
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+ #else
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index dadd2a4..4e99d89 100644
+--- a/ping/ping_common.c
++++ b/ping/ping_common.c
+@@ -754,16 +754,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
+
+ restamp:
+ tvsub(tv, &tmp_tv);
+- triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+- if (triptime < 0) {
+- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime);
++
++ if (tv->tv_usec >= 1000000) {
++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++ tv->tv_usec = 999999;
++ }
++
++ if (tv->tv_usec < 0) {
++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
++ tv->tv_usec = 0;
++ }
++
++ if (tv->tv_sec > TV_SEC_MAX_VAL) {
++ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec);
++ triptime = 0;
++ } else if (tv->tv_sec < 0) {
++ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec);
+ triptime = 0;
+ if (!rts->opt_latency) {
+ gettimeofday(tv, NULL);
+ rts->opt_latency = 1;
+ goto restamp;
+ }
++ } else {
++ triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+ }
++
+ if (!csfailed) {
+ rts->tsum += triptime;
+ rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+--
+2.34.1
+
diff --git a/meta/recipes-extended/iputils/iputils_20211215.bb b/meta/recipes-extended/iputils/iputils_20211215.bb
index 3ddce0be54..03dc97dcc8 100644
--- a/meta/recipes-extended/iputils/iputils_20211215.bb
+++ b/meta/recipes-extended/iputils/iputils_20211215.bb
@@ -12,6 +12,7 @@ DEPENDS = "gnutls"
SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \
file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
+ file://CVE-2025-47268.patch \
"
SRCREV = "1d1e7c43210d8af316a41cb2c53d612a4c16f34d"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 03/12] connman :fix CVE-2025-32366
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 01/12] openssh: Fix CVE-2025-32728 Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 02/12] iputils: Security fix for CVE-2025-47268 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 04/12] libsoup-2.4: Fix CVE-2025-46420 Steve Sakoman
` (8 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Praveen Kumar <praveen.kumar@windriver.com>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../connman/connman/CVE-2025-32366.patch | 41 +++++++++++++++++++
.../connman/connman_1.41.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..45c9ddaf6f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+CVE: CVE-2025-32366
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 334dd00..74aed50 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -950,6 +950,9 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+ if ((unsigned int) (offset + *rdlen) > *response_size)
+ return -ENOBUFS;
+
++ if ((*end + *rdlen) > max)
++ return -EINVAL;
++
+ memcpy(response + offset, *end, *rdlen);
+
+ *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index caf0610c3f..28331712fd 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -10,6 +10,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2022-32292.patch \
file://CVE-2023-28488.patch \
file://CVE-2025-32743.patch \
+ file://CVE-2025-32366.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 04/12] libsoup-2.4: Fix CVE-2025-46420
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 03/12] connman :fix CVE-2025-32366 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910 Steve Sakoman
` (7 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Ashish Sharma <asharma@mvista.com>
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup-2.4/CVE-2025-46420.patch | 60 +++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
2 files changed, 61 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
new file mode 100644
index 0000000000..37ab16dc05
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
@@ -0,0 +1,60 @@
+From c9083869ec2a3037e6df4bd86b45c419ba295f8e Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:31:42 -0600
+Subject: [PATCH] soup_header_parse_quality_list: Fix leak
+
+When iterating over the parsed list we now steal the allocated strings that we want and then free_full the list which may contain remaining strings.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/c9083869ec2a3037e6df4bd86b45c419ba295f8e]
+CVE: CVE-2025-46420
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libsoup/soup-headers.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index a5f7a7f6..85385cea 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -530,7 +530,7 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+ GSList *unsorted;
+ QualityItem *array;
+ GSList *sorted, *iter;
+- char *item, *semi;
++ char *semi;
+ const char *param, *equal, *value;
+ double qval;
+ int n;
+@@ -543,9 +543,8 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+ unsorted = soup_header_parse_list (header);
+ array = g_new0 (QualityItem, g_slist_length (unsorted));
+ for (iter = unsorted, n = 0; iter; iter = iter->next) {
+- item = iter->data;
+ qval = 1.0;
+- for (semi = strchr (item, ';'); semi; semi = strchr (semi + 1, ';')) {
++ for (semi = strchr (iter->data, ';'); semi; semi = strchr (semi + 1, ';')) {
+ param = skip_lws (semi + 1);
+ if (*param != 'q')
+ continue;
+@@ -577,15 +576,15 @@ soup_header_parse_quality_list (const char *header, GSList **unacceptable)
+ if (qval == 0.0) {
+ if (unacceptable) {
+ *unacceptable = g_slist_prepend (*unacceptable,
+- item);
++ g_steal_pointer (&iter->data));
+ }
+ } else {
+- array[n].item = item;
++ array[n].item = g_steal_pointer (&iter->data);
+ array[n].qval = qval;
+ n++;
+ }
+ }
+- g_slist_free (unsorted);
++ g_slist_free_full (unsorted, g_free);
+
+ qsort (array, n, sizeof (QualityItem), sort_by_qval);
+ sorted = NULL;
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 00f7fea41a..f04d9b2966 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32906-1.patch \
file://CVE-2025-32906-2.patch \
file://CVE-2025-32909.patch \
+ file://CVE-2025-46420.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 04/12] libsoup-2.4: Fix CVE-2025-46420 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-06-03 7:56 ` Kumar, Praveen
2025-05-24 13:36 ` [OE-core][kirkstone 06/12] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913 Steve Sakoman
` (6 subsequent siblings)
11 siblings, 1 reply; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
import patch from debian to fix
CVE-2025-32910
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
https://security-tracker.debian.org/tracker/CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++++++++++++
.../libsoup-2.4/CVE-2025-32910-2.patch | 148 ++++++++++++++++++
.../libsoup-2.4/CVE-2025-32910-3.patch | 26 +++
.../libsoup/libsoup-2.4_2.74.2.bb | 3 +
4 files changed, 274 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..de4faf5380
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,97 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: auth-digest: Handle missing realm in authenticate header
+
+(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 3 +++
+ tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..263a15a 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
++ if (!soup_auth_get_realm (auth))
++ return FALSE;
++
+ g_free (priv->domain);
+ g_free (priv->nonce);
+ g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 8295ec3..dfc6b09 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
+ soup_test_session_abort_unref (session);
+ }
+
++static void
++on_request_read_for_missing_realm (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
++{
++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++}
++
++static void
++do_missing_realm_test (void)
++{
++ SoupSession *session;
++ SoupMessage *msg;
++ SoupServer *server;
++ SoupAuthDomain *digest_auth_domain;
++ gint status;
++ GUri *uri;
++
++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
++ soup_server_add_handler (server, NULL,
++ server_callback, NULL, NULL);
++ uri = soup_test_server_get_uri (server, "http", NULL);
++
++ digest_auth_domain = soup_auth_domain_digest_new (
++ "realm", "auth-test",
++ "auth-callback", server_digest_auth_callback,
++ NULL);
++ soup_auth_domain_add_path (digest_auth_domain, "/");
++ soup_server_add_auth_domain (server, digest_auth_domain);
++ g_object_unref (digest_auth_domain);
++
++ g_signal_connect (server, "request-read",
++ G_CALLBACK (on_request_read_for_missing_realm),
++ NULL);
++
++ session = soup_test_session_new (NULL);
++ msg = soup_message_new_from_uri ("GET", uri);
++ g_signal_connect (msg, "authenticate",
++ G_CALLBACK (on_digest_authenticate),
++ NULL);
++
++ status = soup_test_session_send_message (session, msg);
++
++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
++ g_uri_unref (uri);
++ soup_test_server_quit_unref (server);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+
+ ret = g_test_run ();
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..0d72afa1d6
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,148 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: auth-digest: Handle missing nonce
+
+(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
+ tests/auth-test.c | 19 +++++++++++--------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 263a15a..393adb6 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+ return g_string_free (out, FALSE);
+ }
+
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++ if (!priv->nonce)
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ GHashTable *auth_params)
+@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ if (priv->algorithm == -1)
+ ok = FALSE;
+
+- stale = g_hash_table_lookup (auth_params, "stale");
+- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+- recompute_hex_a1 (priv);
+- else {
+- g_free (priv->user);
+- priv->user = NULL;
+- g_free (priv->cnonce);
+- priv->cnonce = NULL;
+- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ if (!validate_params (auth_digest))
++ ok = FALSE;
++
++ if (ok) {
++ stale = g_hash_table_lookup (auth_params, "stale");
++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++ recompute_hex_a1 (priv);
++ else {
++ g_free (priv->user);
++ priv->user = NULL;
++ g_free (priv->cnonce);
++ priv->cnonce = NULL;
++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ }
+ }
+
+ return ok;
+@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
+
+ /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+
++ g_assert (nonce && cnonce);
++
+ checksum = g_checksum_new (G_CHECKSUM_MD5);
+ g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
+ if (qop) {
+ char tmp[9];
+
++ g_assert (cnonce);
++
+ g_snprintf (tmp, 9, "%.8x", nc);
+ g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+ g_return_val_if_fail (uri != NULL, NULL);
+ url = soup_uri_to_string (uri, TRUE);
+
++ g_assert (priv->nonce);
++ g_assert (!priv->qop || priv->cnonce);
++
+ soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+ priv->qop, priv->nonce,
+ priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index dfc6b09..6fb1e4a 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
+ }
+
+ static void
+-on_request_read_for_missing_realm (SoupServer *server,
+- SoupServerMessage *msg,
+- gpointer user_data)
++on_request_read_for_missing_params (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
+ {
++ const char *auth_header = user_data;
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+
+ static void
+-do_missing_realm_test (void)
++do_missing_params_test (gconstpointer auth_header)
+ {
+ SoupSession *session;
+ SoupMessage *msg;
+@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+- G_CALLBACK (on_request_read_for_missing_realm),
+- NULL);
++ G_CALLBACK (on_request_read_for_missing_params),
++ (gpointer)auth_header);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..ab0f650804
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,26 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: auth-digest: Fix leak
+
+(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 393adb6..a1db188 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+ g_free (priv->nonce);
+ g_free (priv->domain);
+ g_free (priv->cnonce);
++ g_free (priv->opaque);
+
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index f04d9b2966..517a8e4539 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32906-2.patch \
file://CVE-2025-32909.patch \
file://CVE-2025-46420.patch \
+ file://CVE-2025-32910-1.patch \
+ file://CVE-2025-32910-2.patch \
+ file://CVE-2025-32910-3.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910
2025-05-24 13:36 ` [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910 Steve Sakoman
@ 2025-06-03 7:56 ` Kumar, Praveen
2025-06-03 8:53 ` Vijay Anusuri
0 siblings, 1 reply; 17+ messages in thread
From: Kumar, Praveen @ 2025-06-03 7:56 UTC (permalink / raw)
To: steve@sakoman.com, vanusuri@mvista.com
Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 16191 bytes --]
Hi,
I noticed that after this patch for CVE-2025-32910 was applied, the build fails for libsoup-2.74.2 when building core-image-sato.
The error is:
../libsoup-2.74.2/tests/auth-test.c:1554:39: error: unknown type name 'SoupServerMessage'; did you mean 'SoupServerClass'?
and something similar to it. If needed I can share the complete log file.
This issue does not happen with core-image-minimal, may be because the test suite isn't built there.
When I revert this CVE patch, the error goes away, and the build works fine again.
Has anyone else seen this? Should I disable the test suite if it's not required ?
Please suggest on how we should fix it.
Thanks,
Praveen
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
Sent: Saturday, May 24, 2025 7:06 PM
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
From: Vijay Anusuri <vanusuri@mvista.com>
import patch from debian to fix
CVE-2025-32910
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
https://security-tracker.debian.org/tracker/CVE-2025-32910
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++++++++++++
.../libsoup-2.4/CVE-2025-32910-2.patch | 148 ++++++++++++++++++
.../libsoup-2.4/CVE-2025-32910-3.patch | 26 +++
.../libsoup/libsoup-2.4_2.74.2.bb | 3 +
4 files changed, 274 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..de4faf5380
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,97 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: auth-digest: Handle missing realm in authenticate header
+
+(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 3 +++
+ tests/auth-test.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..263a15a 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
++ if (!soup_auth_get_realm (auth))
++ return FALSE;
++
+ g_free (priv->domain);
+ g_free (priv->nonce);
+ g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 8295ec3..dfc6b09 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
+ soup_test_session_abort_unref (session);
+ }
+
++static void
++on_request_read_for_missing_realm (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
++{
++ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++}
++
++static void
++do_missing_realm_test (void)
++{
++ SoupSession *session;
++ SoupMessage *msg;
++ SoupServer *server;
++ SoupAuthDomain *digest_auth_domain;
++ gint status;
++ GUri *uri;
++
++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
++ soup_server_add_handler (server, NULL,
++ server_callback, NULL, NULL);
++ uri = soup_test_server_get_uri (server, "http", NULL);
++
++ digest_auth_domain = soup_auth_domain_digest_new (
++ "realm", "auth-test",
++ "auth-callback", server_digest_auth_callback,
++ NULL);
++ soup_auth_domain_add_path (digest_auth_domain, "/");
++ soup_server_add_auth_domain (server, digest_auth_domain);
++ g_object_unref (digest_auth_domain);
++
++ g_signal_connect (server, "request-read",
++ G_CALLBACK (on_request_read_for_missing_realm),
++ NULL);
++
++ session = soup_test_session_new (NULL);
++ msg = soup_message_new_from_uri ("GET", uri);
++ g_signal_connect (msg, "authenticate",
++ G_CALLBACK (on_digest_authenticate),
++ NULL);
++
++ status = soup_test_session_send_message (session, msg);
++
++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
++ g_uri_unref (uri);
++ soup_test_server_quit_unref (server);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+
+ ret = g_test_run ();
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..0d72afa1d6
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,148 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: auth-digest: Handle missing nonce
+
+(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
+ tests/auth-test.c | 19 +++++++++++--------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 263a15a..393adb6 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+ return g_string_free (out, FALSE);
+ }
+
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++ SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++ if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++ if (!priv->nonce)
++ return FALSE;
++ }
++
++ return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ GHashTable *auth_params)
+@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ if (priv->algorithm == -1)
+ ok = FALSE;
+
+- stale = g_hash_table_lookup (auth_params, "stale");
+- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+- recompute_hex_a1 (priv);
+- else {
+- g_free (priv->user);
+- priv->user = NULL;
+- g_free (priv->cnonce);
+- priv->cnonce = NULL;
+- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ if (!validate_params (auth_digest))
++ ok = FALSE;
++
++ if (ok) {
++ stale = g_hash_table_lookup (auth_params, "stale");
++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++ recompute_hex_a1 (priv);
++ else {
++ g_free (priv->user);
++ priv->user = NULL;
++ g_free (priv->cnonce);
++ priv->cnonce = NULL;
++ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++ }
+ }
+
+ return ok;
+@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char *hex_urp,
+
+ /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+
++ g_assert (nonce && cnonce);
++
+ checksum = g_checksum_new (G_CHECKSUM_MD5);
+ g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char *method,
+ if (qop) {
+ char tmp[9];
+
++ g_assert (cnonce);
++
+ g_snprintf (tmp, 9, "%.8x", nc);
+ g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+ g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+ g_return_val_if_fail (uri != NULL, NULL);
+ url = soup_uri_to_string (uri, TRUE);
+
++ g_assert (priv->nonce);
++ g_assert (!priv->qop || priv->cnonce);
++
+ soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+ priv->qop, priv->nonce,
+ priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index dfc6b09..6fb1e4a 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
+ }
+
+ static void
+-on_request_read_for_missing_realm (SoupServer *server,
+- SoupServerMessage *msg,
+- gpointer user_data)
++on_request_read_for_missing_params (SoupServer *server,
++ SoupServerMessage *msg,
++ gpointer user_data)
+ {
++ const char *auth_header = user_data;
+ SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+- soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++ soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+
+ static void
+-do_missing_realm_test (void)
++do_missing_params_test (gconstpointer auth_header)
+ {
+ SoupSession *session;
+ SoupMessage *msg;
+@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
+ g_object_unref (digest_auth_domain);
+
+ g_signal_connect (server, "request-read",
+- G_CALLBACK (on_request_read_for_missing_realm),
+- NULL);
++ G_CALLBACK (on_request_read_for_missing_params),
++ (gpointer)auth_header);
+
+ session = soup_test_session_new (NULL);
+ msg = soup_message_new_from_uri ("GET", uri);
+@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
++ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..ab0f650804
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,26 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: auth-digest: Fix leak
+
+(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 393adb6..a1db188 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+ g_free (priv->nonce);
+ g_free (priv->domain);
+ g_free (priv->cnonce);
++ g_free (priv->opaque);
+
+ memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index f04d9b2966..517a8e4539 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32906-2.patch \
file://CVE-2025-32909.patch \
file://CVE-2025-46420.patch \
+ file://CVE-2025-32910-1.patch \
+ file://CVE-2025-32910-2.patch \
+ file://CVE-2025-32910-3.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
[-- Attachment #2: Type: text/html, Size: 33013 bytes --]
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910
2025-06-03 7:56 ` Kumar, Praveen
@ 2025-06-03 8:53 ` Vijay Anusuri
0 siblings, 0 replies; 17+ messages in thread
From: Vijay Anusuri @ 2025-06-03 8:53 UTC (permalink / raw)
To: Kumar, Praveen
Cc: steve@sakoman.com, openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 17345 bytes --]
Hi Praveen,
I have sent patch to fix the auth-test failure.
https://patchwork.yoctoproject.org/project/oe-core/list/?series=35075
Thanks & Regards,
Vijay
On Tue, Jun 3, 2025 at 1:26 PM Kumar, Praveen <Praveen.Kumar@windriver.com>
wrote:
> Hi,
>
> I noticed that after this patch for CVE-2025-32910 was applied, the build
> fails for libsoup-2.74.2 when building core-image-sato.
>
> The error is:
> *../libsoup-2.74.2/tests/auth-test.c:1554:39: error: unknown type name
> 'SoupServerMessage'; did you mean 'SoupServerClass'?*
>
> and something similar to it. If needed I can share the complete log file.
>
> This issue does not happen with core-image-minimal, may be because the
> test suite isn't built there.
>
> When I revert this CVE patch, the error goes away, and the build works
> fine again.
>
> Has anyone else seen this? Should I disable the test suite if it's not
> required ?
> Please suggest on how we should fix it.
>
> Thanks,
> Praveen
>
>
> ------------------------------
> *From:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> *Sent:* Saturday, May 24, 2025 7:06 PM
> *To:* openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>
> *Subject:* [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> import patch from debian to fix
> CVE-2025-32910
>
> Upstream-Status: Backport [import from debian
> https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
> Upstream commit
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
> &
>
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
> &
>
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
>
> Reference:
> https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
> https://security-tracker.debian.org/tracker/CVE-2025-32910
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> .../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++++++++++++
> .../libsoup-2.4/CVE-2025-32910-2.patch | 148 ++++++++++++++++++
> .../libsoup-2.4/CVE-2025-32910-3.patch | 26 +++
> .../libsoup/libsoup-2.4_2.74.2.bb | 3 +
> 4 files changed, 274 insertions(+)
> create mode 100644
> meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
> create mode 100644
> meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
> create mode 100644
> meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
>
> diff --git
> a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
> b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
> new file mode 100644
> index 0000000000..de4faf5380
> --- /dev/null
> +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
> @@ -0,0 +1,97 @@
> +From: Patrick Griffis <pgriffis@igalia.com>
> +Date: Sun, 8 Dec 2024 20:00:35 -0600
> +Subject: auth-digest: Handle missing realm in authenticate header
> +
> +(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
> +
> +Upstream-Status: Backport [import from debian
> https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
> +Upstream commit
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
> +CVE: CVE-2025-32910
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + libsoup/soup-auth-digest.c | 3 +++
> + tests/auth-test.c | 50
> ++++++++++++++++++++++++++++++++++++++++++++++
> + 2 files changed, 53 insertions(+)
> +
> +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
> +index e8ba990..263a15a 100644
> +--- a/libsoup/soup-auth-digest.c
> ++++ b/libsoup/soup-auth-digest.c
> +@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage
> *msg,
> + guint qop_options;
> + gboolean ok = TRUE;
> +
> ++ if (!soup_auth_get_realm (auth))
> ++ return FALSE;
> ++
> + g_free (priv->domain);
> + g_free (priv->nonce);
> + g_free (priv->opaque);
> +diff --git a/tests/auth-test.c b/tests/auth-test.c
> +index 8295ec3..dfc6b09 100644
> +--- a/tests/auth-test.c
> ++++ b/tests/auth-test.c
> +@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
> + soup_test_session_abort_unref (session);
> + }
> +
> ++static void
> ++on_request_read_for_missing_realm (SoupServer *server,
> ++ SoupServerMessage *msg,
> ++ gpointer user_data)
> ++{
> ++ SoupMessageHeaders *response_headers =
> soup_server_message_get_response_headers (msg);
> ++ soup_message_headers_replace (response_headers,
> "WWW-Authenticate", "Digest qop=\"auth\"");
> ++}
> ++
> ++static void
> ++do_missing_realm_test (void)
> ++{
> ++ SoupSession *session;
> ++ SoupMessage *msg;
> ++ SoupServer *server;
> ++ SoupAuthDomain *digest_auth_domain;
> ++ gint status;
> ++ GUri *uri;
> ++
> ++ server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
> ++ soup_server_add_handler (server, NULL,
> ++ server_callback, NULL, NULL);
> ++ uri = soup_test_server_get_uri (server, "http", NULL);
> ++
> ++ digest_auth_domain = soup_auth_domain_digest_new (
> ++ "realm", "auth-test",
> ++ "auth-callback", server_digest_auth_callback,
> ++ NULL);
> ++ soup_auth_domain_add_path (digest_auth_domain, "/");
> ++ soup_server_add_auth_domain (server, digest_auth_domain);
> ++ g_object_unref (digest_auth_domain);
> ++
> ++ g_signal_connect (server, "request-read",
> ++ G_CALLBACK (on_request_read_for_missing_realm),
> ++ NULL);
> ++
> ++ session = soup_test_session_new (NULL);
> ++ msg = soup_message_new_from_uri ("GET", uri);
> ++ g_signal_connect (msg, "authenticate",
> ++ G_CALLBACK (on_digest_authenticate),
> ++ NULL);
> ++
> ++ status = soup_test_session_send_message (session, msg);
> ++
> ++ g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
> ++ g_uri_unref (uri);
> ++ soup_test_server_quit_unref (server);
> ++}
> ++
> + int
> + main (int argc, char **argv)
> + {
> +@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
> + g_test_add_func ("/auth/async-message-do-not-use-auth-cache",
> do_async_message_do_not_use_auth_cache_test);
> + g_test_add_func ("/auth/authorization-header-request",
> do_message_has_authorization_header_test);
> + g_test_add_func ("/auth/cancel-after-retry",
> do_cancel_after_retry_test);
> ++ g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
> +
> + ret = g_test_run ();
> +
> diff --git
> a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
> b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
> new file mode 100644
> index 0000000000..0d72afa1d6
> --- /dev/null
> +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
> @@ -0,0 +1,148 @@
> +From: Patrick Griffis <pgriffis@igalia.com>
> +Date: Thu, 26 Dec 2024 18:18:35 -0600
> +Subject: auth-digest: Handle missing nonce
> +
> +(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
> +
> +Upstream-Status: Backport [import from debian
> https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
> +Upstream commit
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
> +CVE: CVE-2025-32910
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + libsoup/soup-auth-digest.c | 45
> +++++++++++++++++++++++++++++++++++----------
> + tests/auth-test.c | 19 +++++++++++--------
> + 2 files changed, 46 insertions(+), 18 deletions(-)
> +
> +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
> +index 263a15a..393adb6 100644
> +--- a/libsoup/soup-auth-digest.c
> ++++ b/libsoup/soup-auth-digest.c
> +@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
> + return g_string_free (out, FALSE);
> + }
> +
> ++static gboolean
> ++validate_params (SoupAuthDigest *auth_digest)
> ++{
> ++ SoupAuthDigestPrivate *priv =
> soup_auth_digest_get_instance_private (auth_digest);
> ++
> ++ if (priv->qop || priv->algorithm ==
> SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
> ++ if (!priv->nonce)
> ++ return FALSE;
> ++ }
> ++
> ++ return TRUE;
> ++}
> ++
> + static gboolean
> + soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
> + GHashTable *auth_params)
> +@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth,
> SoupMessage *msg,
> + if (priv->algorithm == -1)
> + ok = FALSE;
> +
> +- stale = g_hash_table_lookup (auth_params, "stale");
> +- if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
> +- recompute_hex_a1 (priv);
> +- else {
> +- g_free (priv->user);
> +- priv->user = NULL;
> +- g_free (priv->cnonce);
> +- priv->cnonce = NULL;
> +- memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
> +- memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> ++ if (!validate_params (auth_digest))
> ++ ok = FALSE;
> ++
> ++ if (ok) {
> ++ stale = g_hash_table_lookup (auth_params, "stale");
> ++ if (stale && !g_ascii_strcasecmp (stale, "TRUE") &&
> *priv->hex_urp)
> ++ recompute_hex_a1 (priv);
> ++ else {
> ++ g_free (priv->user);
> ++ priv->user = NULL;
> ++ g_free (priv->cnonce);
> ++ priv->cnonce = NULL;
> ++ memset (priv->hex_urp, 0, sizeof
> (priv->hex_urp));
> ++ memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> ++ }
> + }
> +
> + return ok;
> +@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const
> char *hex_urp,
> +
> + /* In MD5-sess, A1 is hex_urp:nonce:cnonce */
> +
> ++ g_assert (nonce && cnonce);
> ++
> + checksum = g_checksum_new (G_CHECKSUM_MD5);
> + g_checksum_update (checksum, (guchar *)hex_urp, strlen
> (hex_urp));
> + g_checksum_update (checksum, (guchar *)":", 1);
> +@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char
> *method,
> + if (qop) {
> + char tmp[9];
> +
> ++ g_assert (cnonce);
> ++
> + g_snprintf (tmp, 9, "%.8x", nc);
> + g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
> + g_checksum_update (checksum, (guchar *)":", 1);
> +@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth,
> SoupMessage *msg)
> + g_return_val_if_fail (uri != NULL, NULL);
> + url = soup_uri_to_string (uri, TRUE);
> +
> ++ g_assert (priv->nonce);
> ++ g_assert (!priv->qop || priv->cnonce);
> ++
> + soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
> + priv->qop, priv->nonce,
> + priv->cnonce, priv->nc,
> +diff --git a/tests/auth-test.c b/tests/auth-test.c
> +index dfc6b09..6fb1e4a 100644
> +--- a/tests/auth-test.c
> ++++ b/tests/auth-test.c
> +@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
> + }
> +
> + static void
> +-on_request_read_for_missing_realm (SoupServer *server,
> +- SoupServerMessage *msg,
> +- gpointer user_data)
> ++on_request_read_for_missing_params (SoupServer *server,
> ++ SoupServerMessage *msg,
> ++ gpointer user_data)
> + {
> ++ const char *auth_header = user_data;
> + SoupMessageHeaders *response_headers =
> soup_server_message_get_response_headers (msg);
> +- soup_message_headers_replace (response_headers,
> "WWW-Authenticate", "Digest qop=\"auth\"");
> ++ soup_message_headers_replace (response_headers,
> "WWW-Authenticate", auth_header);
> + }
> +
> + static void
> +-do_missing_realm_test (void)
> ++do_missing_params_test (gconstpointer auth_header)
> + {
> + SoupSession *session;
> + SoupMessage *msg;
> +@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
> + g_object_unref (digest_auth_domain);
> +
> + g_signal_connect (server, "request-read",
> +- G_CALLBACK (on_request_read_for_missing_realm),
> +- NULL);
> ++ G_CALLBACK
> (on_request_read_for_missing_params),
> ++ (gpointer)auth_header);
> +
> + session = soup_test_session_new (NULL);
> + msg = soup_message_new_from_uri ("GET", uri);
> +@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
> + g_test_add_func ("/auth/async-message-do-not-use-auth-cache",
> do_async_message_do_not_use_auth_cache_test);
> + g_test_add_func ("/auth/authorization-header-request",
> do_message_has_authorization_header_test);
> + g_test_add_func ("/auth/cancel-after-retry",
> do_cancel_after_retry_test);
> +- g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
> ++ g_test_add_data_func ("/auth/missing-params/realm", "Digest
> qop=\"auth\"", do_missing_params_test);
> ++ g_test_add_data_func ("/auth/missing-params/nonce", "Digest
> realm=\"auth-test\", qop=\"auth,auth-int\",
> opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
> ++ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess",
> "Digest realm=\"auth-test\", qop=\"auth,auth-int\",
> opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"",
> do_missing_params_test);
> +
> + ret = g_test_run ();
> +
> diff --git
> a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
> b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
> new file mode 100644
> index 0000000000..ab0f650804
> --- /dev/null
> +++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
> @@ -0,0 +1,26 @@
> +From: Patrick Griffis <pgriffis@igalia.com>
> +Date: Fri, 27 Dec 2024 13:52:52 -0600
> +Subject: auth-digest: Fix leak
> +
> +(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
> +
> +Upstream-Status: Backport [import from debian
> https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
> +Upstream commit
> https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
> +CVE: CVE-2025-32910
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + libsoup/soup-auth-digest.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
> +index 393adb6..a1db188 100644
> +--- a/libsoup/soup-auth-digest.c
> ++++ b/libsoup/soup-auth-digest.c
> +@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
> + g_free (priv->nonce);
> + g_free (priv->domain);
> + g_free (priv->cnonce);
> ++ g_free (priv->opaque);
> +
> + memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
> + memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
> diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
> b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
> index f04d9b2966..517a8e4539 100644
> --- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
> +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
> @@ -23,6 +23,9 @@ SRC_URI =
> "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
> file://CVE-2025-32906-2.patch \
> file://CVE-2025-32909.patch \
> file://CVE-2025-46420.patch \
> + file://CVE-2025-32910-1.patch \
> + file://CVE-2025-32910-2.patch \
> + file://CVE-2025-32910-3.patch \
> "
> SRC_URI[sha256sum] =
> "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
>
> --
> 2.43.0
>
>
[-- Attachment #2: Type: text/html, Size: 26754 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* [OE-core][kirkstone 06/12] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 05/12] libsoup-2.4: Fix CVE-2025-32910 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 07/12] libsoup-2.4: Fix CVE-2025-32912 Steve Sakoman
` (5 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../CVE-2025-32911_CVE-2025-32913-1.patch | 72 +++++++++++++++++++
.../CVE-2025-32911_CVE-2025-32913-2.patch | 44 ++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 2 +
3 files changed, 118 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
new file mode 100644
index 0000000000..4652635294
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
@@ -0,0 +1,72 @@
+From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 17:53:50 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34]
+CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 13 +++++++++----
+ tests/header-parsing-test.c | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 56cc1e9d..04f4c302 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
+ */
+ if (params && g_hash_table_lookup_extended (*params, "filename",
+ &orig_key, &orig_value)) {
+- char *filename = strrchr (orig_value, '/');
+-
+- if (filename)
+- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ if (orig_value) {
++ char *filename = strrchr (orig_value, '/');
++
++ if (filename)
++ g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ } else {
++ /* filename with no value isn't valid. */
++ g_hash_table_remove (*params, "filename");
++ }
+ }
+ return TRUE;
+ }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 5e423d2b..d0b360c8 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
+ #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE "filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE_2 "filename=\"test.txt\"; foo=bar"
++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
+
+ static void
+ do_content_disposition_tests (void)
+@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
+ g_assert_cmpstr (parameter2, ==, "bar");
+ g_hash_table_destroy (params);
+
++ /* Empty filename */
++ soup_message_headers_clear (hdrs);
++ soup_message_headers_append (hdrs, "Content-Disposition",
++ RFC5987_TEST_HEADER_EMPTY_FILENAME);
++ if (!soup_message_headers_get_content_disposition (hdrs,
++ &disposition,
++ ¶ms)) {
++ soup_test_assert (FALSE, "empty filename decoding FAILED");
++ return;
++ }
++ g_assert_false (g_hash_table_contains (params, "filename"));
++ g_hash_table_destroy (params);
++
+ soup_message_headers_free (hdrs);
+
+ /* Ensure that soup-multipart always quotes filename */
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
new file mode 100644
index 0000000000..5d9f33c736
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
@@ -0,0 +1,44 @@
+From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 18:00:39 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
+ truncated filenames
+
+This table frees the strings it contains.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0]
+CVE: CVE-2025-32911 CVE-2025-32913
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 2 +-
+ tests/header-parsing-test.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 04f4c302..ee7a3cb1 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders *hdrs,
+ char *filename = strrchr (orig_value, '/');
+
+ if (filename)
+- g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++ g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
+ } else {
+ /* filename with no value isn't valid. */
+ g_hash_table_remove (*params, "filename");
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index d0b360c8..07ea2866 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
+ soup_test_assert (FALSE, "empty filename decoding FAILED");
+ return;
+ }
++ g_free (disposition);
+ g_assert_false (g_hash_table_contains (params, "filename"));
+ g_hash_table_destroy (params);
+
+--
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 517a8e4539..4e7667402b 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32910-1.patch \
file://CVE-2025-32910-2.patch \
file://CVE-2025-32910-3.patch \
+ file://CVE-2025-32911_CVE-2025-32913-1.patch \
+ file://CVE-2025-32911_CVE-2025-32913-2.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 07/12] libsoup-2.4: Fix CVE-2025-32912
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 06/12] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 08/12] libsoup-2.4: Fix CVE-2025-32914 Steve Sakoman
` (4 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup-2.4/CVE-2025-32912-1.patch | 41 +++++++++++++++++++
.../libsoup-2.4/CVE-2025-32912-2.patch | 30 ++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 2 +
3 files changed, 73 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
new file mode 100644
index 0000000000..2a6f37cb58
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
@@ -0,0 +1,41 @@
+From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 14:03:05 -0600
+Subject: [PATCH 1/2] auth-digest: Handle missing nonce
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ tests/auth-test.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index a1db188..f0edb81 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
+- if (!soup_auth_get_realm (auth))
++ if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+ return FALSE;
+
+ g_free (priv->domain);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 6fb1e4a..343d7a5 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1629,6 +1629,7 @@ main (int argc, char **argv)
+ g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+ g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
++ g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
+
+ ret = g_test_run ();
+
+--
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
new file mode 100644
index 0000000000..4898068115
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
@@ -0,0 +1,30 @@
+From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sat, 8 Feb 2025 12:30:13 -0600
+Subject: [PATCH 2/2] digest-auth: Handle NULL nonce
+
+`contains` only handles a missing nonce, `lookup` handles both missing and empty.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index f0edb81..c49ffd9 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ guint qop_options;
+ gboolean ok = TRUE;
+
+- if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
++ if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
+ return FALSE;
+
+ g_free (priv->domain);
+--
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 4e7667402b..848ea6eb54 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -28,6 +28,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32910-3.patch \
file://CVE-2025-32911_CVE-2025-32913-1.patch \
file://CVE-2025-32911_CVE-2025-32913-2.patch \
+ file://CVE-2025-32912-1.patch \
+ file://CVE-2025-32912-2.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 08/12] libsoup-2.4: Fix CVE-2025-32914
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 07/12] libsoup-2.4: Fix CVE-2025-32912 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 09/12] glib-2.0: fix CVE-2025-4373 Steve Sakoman
` (3 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
import patch from debian to fix
CVE-2025-32914
Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
https://security-tracker.debian.org/tracker/CVE-2025-32914
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsoup/libsoup-2.4/CVE-2025-32914.patch | 137 ++++++++++++++++++
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
2 files changed, 138 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..e6d4607b5e
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,137 @@
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+
+(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
+CVE: CVE-2025-32914
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-multipart.c | 2 +-
+ tests/multipart-test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f..dd93973 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ return NULL;
+ }
+
+- split = strstr (start, "\r\n\r\n");
++ split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ if (!split || split > end) {
+ soup_multipart_free (multipart);
+ soup_buffer_free (flattened);
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 64a5ebf..834b181 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -479,6 +479,89 @@ test_multipart (gconstpointer data)
+ g_main_loop_unref (loop);
+ }
+
++static void
++test_multipart_bounds_good (void)
++{
++ #define TEXT "line1\r\nline2"
++ SoupMultipart *multipart;
++ SoupMessageHeaders *headers, *set_headers = NULL;
++ //GBytes *bytes, *set_bytes = NULL;
++ GBytes *bytes;
++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
++ gboolean success;
++ SoupMessageBody *body = soup_message_body_new ();
++ SoupBuffer *set_buffer = NULL;
++ gconstpointer data;
++ gsize size;
++
++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++ bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++ data = g_bytes_get_data(bytes, NULL);
++ size = g_bytes_get_size(bytes);
++
++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
++
++ //multipart = soup_multipart_new_from_message (headers, bytes);
++ multipart = soup_multipart_new_from_message (headers, body);
++
++ soup_message_body_free (body);
++
++ g_assert_nonnull (multipart);
++ g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
++ success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer);
++ g_assert_true (success);
++ g_assert_nonnull (set_headers);
++ //g_assert_nonnull (set_bytes);
++ g_assert_nonnull (set_buffer);
++ //g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
++ g_assert_cmpint (strlen (TEXT), ==, set_buffer->length);
++ g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
++ //g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
++ g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length);
++
++ soup_message_headers_free (headers);
++ g_bytes_unref (bytes);
++
++ soup_multipart_free (multipart);
++
++ #undef TEXT
++}
++
++static void
++test_multipart_bounds_bad (void)
++{
++ SoupMultipart *multipart;
++ SoupMessageHeaders *headers;
++ GBytes *bytes;
++ const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
++ SoupMessageBody *body = soup_message_body_new ();
++ gconstpointer data;
++ gsize size;
++
++ headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++ soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++ bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++ data = g_bytes_get_data(bytes, NULL);
++ size = g_bytes_get_size(bytes);
++
++ soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
++
++ /* it did read out of raw_data/bytes bounds */
++ //multipart = soup_multipart_new_from_message (headers, bytes);
++ multipart = soup_multipart_new_from_message (headers, body);
++ g_assert_null (multipart);
++
++ soup_message_body_free (body);
++
++ soup_message_headers_free (headers);
++ g_bytes_unref (bytes);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -508,6 +591,8 @@ main (int argc, char **argv)
+ g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+ g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+ g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
++ g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
++ g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+
+ ret = g_test_run ();
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
index 848ea6eb54..46b9e10ac5 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32911_CVE-2025-32913-2.patch \
file://CVE-2025-32912-1.patch \
file://CVE-2025-32912-2.patch \
+ file://CVE-2025-32914.patch \
"
SRC_URI[sha256sum] = "f0a427656e5fe19e1df71c107e88dfa1b2e673c25c547b7823b6018b40d01159"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 09/12] glib-2.0: fix CVE-2025-4373
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 08/12] libsoup-2.4: Fix CVE-2025-32914 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 10/12] ruby: fix CVE-2025-27221 Steve Sakoman
` (2 subsequent siblings)
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Praveen Kumar <praveen.kumar@windriver.com>
A flaw was found in GLib, which is vulnerable to an integer overflow
in the g_string_insert_unichar() function. When the position at which
to insert the character is large, the position will overflow, leading
to a buffer underwrite.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-4373
https://security-tracker.debian.org/tracker/CVE-2025-4373
Upstream-patches:
https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3
https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glib-2.0/glib-2.0/CVE-2025-4373-01.patch | 120 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2025-4373-02.patch | 29 +++++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 2 +
3 files changed, 151 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
new file mode 100644
index 0000000000..5b43850c53
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
@@ -0,0 +1,120 @@
+From cc647f9e46d55509a93498af19659baf9c80f2e3 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 10 Apr 2025 10:57:20 -0500
+Subject: [PATCH 1/2] gstring: carefully handle gssize parameters
+
+Wherever we use gssize to allow passing -1, we need to ensure we don't
+overflow the value by assigning a gsize to it without checking if the
+size exceeds the maximum gssize. The safest way to do this is to just
+use normal gsize everywhere instead and use gssize only for the
+parameter.
+
+Our computers don't have enough RAM to write tests for this. I tried
+forcing string->len to high values for test purposes, but this isn't
+valid and will just cause out of bounds reads/writes due to
+string->allocated_len being unexpectedly small, so I don't think we can
+test this easily.
+
+CVE: CVE-2025-4373
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ glib/gstring.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/glib/gstring.c b/glib/gstring.c
+index 0a509e5..d6f8735 100644
+--- a/glib/gstring.c
++++ b/glib/gstring.c
+@@ -424,8 +424,9 @@ g_string_insert_len (GString *string,
+ return string;
+
+ if (len < 0)
+- len = strlen (val);
+- len_unsigned = len;
++ len_unsigned = strlen (val);
++ else
++ len_unsigned = len;
+
+ if (pos < 0)
+ pos_unsigned = string->len;
+@@ -723,10 +724,12 @@ g_string_insert_c (GString *string,
+ g_string_maybe_expand (string, 1);
+
+ if (pos < 0)
+- pos = string->len;
++ pos_unsigned = string->len;
+ else
+- g_return_val_if_fail ((gsize) pos <= string->len, string);
+- pos_unsigned = pos;
++ {
++ pos_unsigned = pos;
++ g_return_val_if_fail (pos_unsigned <= string->len, string);
++ }
+
+ /* If not just an append, move the old stuff */
+ if (pos_unsigned < string->len)
+@@ -759,6 +762,7 @@ g_string_insert_unichar (GString *string,
+ gssize pos,
+ gunichar wc)
+ {
++ gsize pos_unsigned;
+ gint charlen, first, i;
+ gchar *dest;
+
+@@ -800,15 +804,18 @@ g_string_insert_unichar (GString *string,
+ g_string_maybe_expand (string, charlen);
+
+ if (pos < 0)
+- pos = string->len;
++ pos_unsigned = string->len;
+ else
+- g_return_val_if_fail ((gsize) pos <= string->len, string);
++ {
++ pos_unsigned = pos;
++ g_return_val_if_fail (pos_unsigned <= string->len, string);
++ }
+
+ /* If not just an append, move the old stuff */
+- if ((gsize) pos < string->len)
+- memmove (string->str + pos + charlen, string->str + pos, string->len - pos);
++ if (pos_unsigned < string->len)
++ memmove (string->str + pos_unsigned + charlen, string->str + pos_unsigned, string->len - pos_unsigned);
+
+- dest = string->str + pos;
++ dest = string->str + pos_unsigned;
+ /* Code copied from g_unichar_to_utf() */
+ for (i = charlen - 1; i > 0; --i)
+ {
+@@ -866,6 +873,7 @@ g_string_overwrite_len (GString *string,
+ const gchar *val,
+ gssize len)
+ {
++ gssize len_unsigned;
+ gsize end;
+
+ g_return_val_if_fail (string != NULL, NULL);
+@@ -877,14 +885,16 @@ g_string_overwrite_len (GString *string,
+ g_return_val_if_fail (pos <= string->len, string);
+
+ if (len < 0)
+- len = strlen (val);
++ len_unsigned = strlen (val);
++ else
++ len_unsigned = len;
+
+- end = pos + len;
++ end = pos + len_unsigned;
+
+ if (end > string->len)
+ g_string_maybe_expand (string, end - string->len);
+
+- memcpy (string->str + pos, val, len);
++ memcpy (string->str + pos, val, len_unsigned);
+
+ if (end > string->len)
+ {
+--
+2.40.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
new file mode 100644
index 0000000000..d5a4d8dacd
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
@@ -0,0 +1,29 @@
+From 4d435bb4809793c445846db8fb87e3c9184c4703 Mon Sep 17 00:00:00 2001
+From: Peter Bloomfield <peterbloomfield@bellsouth.net>
+Date: Fri, 11 Apr 2025 05:52:33 +0000
+Subject: [PATCH 2/2] gstring: Make len_unsigned unsigned
+
+CVE: CVE-2025-4373
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ glib/gstring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glib/gstring.c b/glib/gstring.c
+index d6f8735..d097e2f 100644
+--- a/glib/gstring.c
++++ b/glib/gstring.c
+@@ -873,7 +873,7 @@ g_string_overwrite_len (GString *string,
+ const gchar *val,
+ gssize len)
+ {
+- gssize len_unsigned;
++ gsize len_unsigned;
+ gsize end;
+
+ g_return_val_if_fail (string != NULL, NULL);
+--
+2.40.0
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
index cebd84dd50..8d2c452088 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -60,6 +60,8 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2025-3360-04.patch \
file://CVE-2025-3360-05.patch \
file://CVE-2025-3360-06.patch \
+ file://CVE-2025-4373-01.patch \
+ file://CVE-2025-4373-02.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 10/12] ruby: fix CVE-2025-27221
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 09/12] glib-2.0: fix CVE-2025-4373 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 11/12] util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 12/12] gcc: AArch64 - Fix strict-align cpymem/setmem Steve Sakoman
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221
Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ruby/ruby/CVE-2025-27221-0001.patch | 57 +++++++++++++++
.../ruby/ruby/CVE-2025-27221-0002.patch | 73 +++++++++++++++++++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 2 +
3 files changed, 132 insertions(+)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
new file mode 100644
index 0000000000..4dd2e55b1c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
+From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb | 6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index cfa0de6..23d2398 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1131,7 +1131,11 @@ module URI
+ end
+
+ # RFC2396, Section 5.2, 7)
+- base.set_userinfo(rel.userinfo) if rel.userinfo
++ if rel.userinfo
++ base.set_userinfo(rel.userinfo)
++ else
++ base.set_userinfo(nil)
++ end
+ base.set_host(rel.host) if rel.host
+ base.set_port(rel.port) if rel.port
+ base.query = rel.query if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index fdb405e..b74f8e6 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -157,6 +157,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+ assert_equal(nil, url.user)
+ assert_equal(nil, url.password)
+ assert_equal(nil, url.userinfo)
++
++ # sec-2957667
++ url = URI.parse('http://user:pass@example.com').merge('//example.net')
++ assert_equal('http://example.net', url.to_s)
++ assert_nil(url.userinfo)
++ url = URI.join('http://user:pass@example.com', '//example.net')
++ assert_equal('http://example.net', url.to_s)
++ assert_nil(url.userinfo)
++ url = URI.parse('http://user:pass@example.com') + '//example.net'
++ assert_equal('http://example.net', url.to_s)
++ assert_nil(url.userinfo)
+ end
+
+ def test_parse_scheme_with_symbols
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
new file mode 100644
index 0000000000..370b1aa66d
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
+From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb | 19 +++++++------------
+ test/uri/test_generic.rb | 7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index 23d2398..2420882 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1123,21 +1123,16 @@ module URI
+ base.fragment=(nil)
+
+ # RFC2396, Section 5.2, 4)
+- if !authority
+- base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+- else
+- # RFC2396, Section 5.2, 4)
+- base.set_path(rel.path) if rel.path
++ if authority
++ base.set_userinfo(rel.userinfo)
++ base.set_host(rel.host)
++ base.set_port(rel.port || base.default_port)
++ base.set_path(rel.path)
++ elsif base.path && rel.path
++ base.set_path(merge_path(base.path, rel.path))
+ end
+
+ # RFC2396, Section 5.2, 7)
+- if rel.userinfo
+- base.set_userinfo(rel.userinfo)
+- else
+- base.set_userinfo(nil)
+- end
+- base.set_host(rel.host) if rel.host
+- base.set_port(rel.port) if rel.port
+ base.query = rel.query if rel.query
+ base.fragment=(rel.fragment) if rel.fragment
+
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index b74f8e6..ade0294 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -260,6 +260,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+ assert_equal(u0, u1)
+ end
+
++ def test_merge_authority
++ u = URI.parse('http://user:pass@example.com:8080')
++ u0 = URI.parse('http://new.example.org/path')
++ u1 = u.merge('//new.example.org/path')
++ assert_equal(u0, u1)
++ end
++
+ def test_route
+ url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+ assert_equal('b.html', url.to_s)
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index ca061e7f70..65d62002ec 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -49,6 +49,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2025-27220.patch \
file://CVE-2025-27219.patch \
file://CVE-2024-43398.patch \
+ file://CVE-2025-27221-0001.patch \
+ file://CVE-2025-27221-0002.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 11/12] util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 10/12] ruby: fix CVE-2025-27221 Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
2025-05-24 13:36 ` [OE-core][kirkstone 12/12] gcc: AArch64 - Fix strict-align cpymem/setmem Steve Sakoman
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Virendra Thakur <virendra.thakur@kpit.com>
During ptest execution, util-linux adds mount entries in /etc/fstab
and runs `mount -a`, which mounts all available entries from
/etc/fstab. This can cause unintended mounts that are unrelated to
the test, leading to incorrect test behavior.
To avoid this, upstream util-linux introduced a mechanism using
CUSTOM_FSTAB,which isolates test-specific fstab entries. Only entries
listed in CUSTOM_FSTAB are mounted during test execution, ensuring
tests do not interfere with or depend on the system's /etc/fstab.
This commit backports below upstream changes to use CUSTOM_FSTAB.
https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de
https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484
https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/util-linux/util-linux.inc | 1 +
.../util-linux/fstab-isolation.patch | 419 ++++++++++++++++++
2 files changed, 420 insertions(+)
create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index b9172230e7..c62c6d70c3 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -41,6 +41,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://CVE-2024-28085-0003.patch \
file://CVE-2024-28085-0004.patch \
file://CVE-2024-28085-0005.patch \
+ file://fstab-isolation.patch \
"
SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
diff --git a/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
new file mode 100644
index 0000000000..6b272507f7
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
@@ -0,0 +1,419 @@
+From 1f6d3c9fd195672987076958eefbabf395fb2df2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:48:58 +0200
+Subject: [PATCH 1/3] tests: (functions.sh) create variable for test fstab
+ location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit ed3d33faff17fb702a3acfca2f9f24e69f4920de)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/functions.sh | 13 +++++++------
+ tests/ts/mount/fstab-broken | 2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/tests/functions.sh b/tests/functions.sh
+index 1699ba047..93eef8564 100644
+--- a/tests/functions.sh
++++ b/tests/functions.sh
+@@ -351,6 +351,7 @@ function ts_init_env {
+ TS_ENABLE_UBSAN="yes"
+ fi
+
++ TS_FSTAB="/etc/fstab"
+ BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab"
+
+ declare -a TS_SUID_PROGS
+@@ -789,12 +790,12 @@ function ts_is_mounted {
+ }
+
+ function ts_fstab_open {
+- echo "# <!-- util-linux test entry" >> /etc/fstab
++ echo "# <!-- util-linux test entry" >> "$TS_FSTAB"
+ }
+
+ function ts_fstab_close {
+- echo "# -->" >> /etc/fstab
+- sync /etc/fstab 2>/dev/null
++ echo "# -->" >> "$TS_FSTAB"
++ sync "$TS_FSTAB" 2>/dev/null
+ }
+
+ function ts_fstab_addline {
+@@ -803,7 +804,7 @@ function ts_fstab_addline {
+ local FS=${3:-"auto"}
+ local OPT=${4:-"defaults"}
+
+- echo "$SPEC $MNT $FS $OPT 0 0" >> /etc/fstab
++ echo "$SPEC $MNT $FS $OPT 0 0" >> "$TS_FSTAB"
+ }
+
+ function ts_fstab_lock {
+@@ -827,9 +828,9 @@ function ts_fstab_clean {
+ ba
+ }
+ s/# <!-- util-linux.*-->//;
+-/^$/d" /etc/fstab
++/^$/d" "$TS_FSTAB"
+
+- sync /etc/fstab 2>/dev/null
++ sync "$TS_FSTAB" 2>/dev/null
+ ts_unlock "fstab"
+ }
+
+diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken
+index 947e3af7a..5ef10f889 100755
+--- a/tests/ts/mount/fstab-broken
++++ b/tests/ts/mount/fstab-broken
+@@ -33,7 +33,7 @@ mkdir -p $MNT
+
+ ts_fstab_lock
+ ts_fstab_open
+-echo "tmpd $MNT tmpfs" >> /etc/fstab
++echo "tmpd $MNT tmpfs" >> "$TS_FSTAB"
+ ts_fstab_close
+
+ ts_init_subtest "mount"
+--
+2.34.1
+
+
+From 82e44655f33037cbcd2da6664202735d1e37d317 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:20:45 +0200
+Subject: [PATCH 2/3] tests: (functions.sh) use per-test fstab file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit 6aa8d17b6b53b86a46c5da68c02a893113130496)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/functions.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/functions.sh b/tests/functions.sh
+index 93eef8564..4a5580712 100644
+--- a/tests/functions.sh
++++ b/tests/functions.sh
+@@ -351,7 +351,7 @@ function ts_init_env {
+ TS_ENABLE_UBSAN="yes"
+ fi
+
+- TS_FSTAB="/etc/fstab"
++ TS_FSTAB="$TS_OUTDIR/${TS_TESTNAME}.fstab"
+ BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab"
+
+ declare -a TS_SUID_PROGS
+--
+2.34.1
+
+
+From 73257404c6bee007c75b826bb1bd99e8eb6e8f9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:34:28 +0200
+Subject: [PATCH 3/3] mount: (tests) explicitly use test fstab location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit b1580bd760519a2cf052f023057846e54de47484)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/ts/mount/fslists | 2 +-
+ tests/ts/mount/fstab-broken | 4 ++--
+ tests/ts/mount/fstab-btrfs | 8 ++++----
+ tests/ts/mount/fstab-devname | 4 ++--
+ tests/ts/mount/fstab-devname2label | 2 +-
+ tests/ts/mount/fstab-devname2uuid | 2 +-
+ tests/ts/mount/fstab-label | 6 +++---
+ tests/ts/mount/fstab-label2devname | 4 ++--
+ tests/ts/mount/fstab-label2uuid | 4 ++--
+ tests/ts/mount/fstab-loop | 4 ++--
+ tests/ts/mount/fstab-none | 2 +-
+ tests/ts/mount/fstab-symlink | 2 +-
+ tests/ts/mount/fstab-uuid | 4 ++--
+ tests/ts/mount/fstab-uuid2devname | 4 ++--
+ tests/ts/mount/fstab-uuid2label | 4 ++--
+ 15 files changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/tests/ts/mount/fslists b/tests/ts/mount/fslists
+index 74a87f6a7..3e2efa0db 100755
+--- a/tests/ts/mount/fslists
++++ b/tests/ts/mount/fslists
+@@ -61,7 +61,7 @@ ts_finalize_subtest
+ ts_init_subtest "more-types-fstab"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ ts_fstab_add $DEVICE $TS_MOUNTPOINT "foo,bar,ext2"
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_fstab_clean
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $TS_MOUNTPOINT
+diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken
+index 5ef10f889..a9855f06f 100755
+--- a/tests/ts/mount/fstab-broken
++++ b/tests/ts/mount/fstab-broken
+@@ -37,7 +37,7 @@ echo "tmpd $MNT tmpfs" >> "$TS_FSTAB"
+ ts_fstab_close
+
+ ts_init_subtest "mount"
+-$TS_CMD_MOUNT $MNT &> /dev/null
++$TS_CMD_MOUNT -T "$TS_FSTAB" $MNT &> /dev/null
+ [ "$?" = "0" ] || ts_log "error: mount $MNT"
+ $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null
+ if [ "$?" != "0" ]; then
+@@ -56,7 +56,7 @@ ts_finalize_subtest
+
+
+ ts_init_subtest "mount-all"
+-$TS_CMD_MOUNT -a &> /dev/null
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a &> /dev/null
+ [ "$?" = "0" ] || ts_log "error: mount -a"
+ $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null
+ if [ "$?" != "0" ]; then
+diff --git a/tests/ts/mount/fstab-btrfs b/tests/ts/mount/fstab-btrfs
+index 0003b5d65..1f93d409d 100755
+--- a/tests/ts/mount/fstab-btrfs
++++ b/tests/ts/mount/fstab-btrfs
+@@ -91,8 +91,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "btrfs" "subvolid=$NON_DEFA
+ ts_fstab_addline "$TS_MOUNTPOINT_SUBVOLID" "$TS_MOUNTPOINT_BIND" "auto" "bind"
+ ts_fstab_close
+
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG
+@@ -121,8 +121,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "auto" "subvolid=$NON_DEFAU
+ ts_fstab_addline "$TS_MOUNTPOINT_SUBVOL/bind-mnt" "$TS_MOUNTPOINT_BIND" "auto" "bind"
+ ts_fstab_close
+
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG
+diff --git a/tests/ts/mount/fstab-devname b/tests/ts/mount/fstab-devname
+index 4e4961ede..3964b81c5 100755
+--- a/tests/ts/mount/fstab-devname
++++ b/tests/ts/mount/fstab-devname
+@@ -40,12 +40,12 @@ ts_device_has "TYPE" "ext2" $DEVICE || ts_die "Cannot find ext2 on $DEVICE"
+ ts_fstab_add $DEVICE
+
+ # variant A)
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-devname2label b/tests/ts/mount/fstab-devname2label
+index 7257fbc89..1f50d0178 100755
+--- a/tests/ts/mount/fstab-devname2label
++++ b/tests/ts/mount/fstab-devname2label
+@@ -41,7 +41,7 @@ ts_device_has "LABEL" $LABEL $DEVICE \
+ ts_fstab_add "LABEL=$LABEL"
+ ts_udevadm_settle "$DEVICE" "LABEL"
+
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-devname2uuid b/tests/ts/mount/fstab-devname2uuid
+index 02b3ee161..f1fa23152 100755
+--- a/tests/ts/mount/fstab-devname2uuid
++++ b/tests/ts/mount/fstab-devname2uuid
+@@ -39,7 +39,7 @@ UUID=$(ts_uuid_by_devname "$DEVICE") || ts_die "Cannot find UUID on $DEVICE"
+ ts_fstab_add "UUID=$UUID"
+ ts_udevadm_settle "$DEVICE" "UUID"
+
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-label b/tests/ts/mount/fstab-label
+index a86bdf6c0..6dd1c7bfc 100755
+--- a/tests/ts/mount/fstab-label
++++ b/tests/ts/mount/fstab-label
+@@ -42,17 +42,17 @@ ts_fstab_add "LABEL=$LABEL"
+ ts_udevadm_settle "$DEVICE" "LABEL"
+
+ # variant A)
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+ # variant C)
+-$TS_CMD_MOUNT LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "C) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "C) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-label2devname b/tests/ts/mount/fstab-label2devname
+index 181352aef..359479aaa 100755
+--- a/tests/ts/mount/fstab-label2devname
++++ b/tests/ts/mount/fstab-label2devname
+@@ -42,12 +42,12 @@ ts_fstab_add "$DEVICE"
+ ts_udevadm_settle "$DEVICE" "LABEL"
+
+ # variant A)
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-label2uuid b/tests/ts/mount/fstab-label2uuid
+index 027bf8059..5884faeed 100755
+--- a/tests/ts/mount/fstab-label2uuid
++++ b/tests/ts/mount/fstab-label2uuid
+@@ -44,12 +44,12 @@ ts_fstab_add "UUID=$UUID"
+ ts_udevadm_settle "$DEVICE" "LABEL" "UUID"
+
+ # variant A)
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-loop b/tests/ts/mount/fstab-loop
+index 7d4fbff3c..29ceb937d 100755
+--- a/tests/ts/mount/fstab-loop
++++ b/tests/ts/mount/fstab-loop
+@@ -39,10 +39,10 @@ ts_fstab_lock
+ ts_fstab_open
+
+ ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-1" "ext2" "loop"
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+
+ ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-2" "ext2" "loop"
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+
+ ts_fstab_close
+
+diff --git a/tests/ts/mount/fstab-none b/tests/ts/mount/fstab-none
+index e2ed0af02..4d1ec283b 100755
+--- a/tests/ts/mount/fstab-none
++++ b/tests/ts/mount/fstab-none
+@@ -16,7 +16,7 @@ ts_fstab_add "none" "$TS_MOUNTPOINT" "tmpfs" "rw,nosuid,nodev,relatime"
+
+ mkdir -p $TS_MOUNTPOINT
+
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ [ "$?" = "0" ] || ts_log "error: mount $TS_MOUNTPOINT"
+
+ $TS_CMD_FINDMNT --mountpoint "$TS_MOUNTPOINT" &> /dev/null
+diff --git a/tests/ts/mount/fstab-symlink b/tests/ts/mount/fstab-symlink
+index 9f63a5afc..e00b33d61 100755
+--- a/tests/ts/mount/fstab-symlink
++++ b/tests/ts/mount/fstab-symlink
+@@ -46,7 +46,7 @@ ln -s $DEVICE $LINKNAME
+ ts_fstab_add $LINKNAME $TS_MOUNTPOINT "auto" "defaults,user"
+
+ # variant A) -- UID=0
+-$TS_CMD_MOUNT $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $LINKNAME || ts_die "A) Cannot umount $LINKNAME"
+
+diff --git a/tests/ts/mount/fstab-uuid b/tests/ts/mount/fstab-uuid
+index ce4c86ea8..45694c9f3 100755
+--- a/tests/ts/mount/fstab-uuid
++++ b/tests/ts/mount/fstab-uuid
+@@ -40,12 +40,12 @@ ts_fstab_add "UUID=$UUID"
+ ts_udevadm_settle "$DEVICE" "UUID"
+
+ # variant A)
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-uuid2devname b/tests/ts/mount/fstab-uuid2devname
+index 4ce72556c..82367235f 100755
+--- a/tests/ts/mount/fstab-uuid2devname
++++ b/tests/ts/mount/fstab-uuid2devname
+@@ -40,12 +40,12 @@ ts_fstab_add "$DEVICE"
+ ts_udevadm_settle "$DEVICE" "UUID"
+
+ # variant A)
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+diff --git a/tests/ts/mount/fstab-uuid2label b/tests/ts/mount/fstab-uuid2label
+index b1f983df1..1a2ffaada 100755
+--- a/tests/ts/mount/fstab-uuid2label
++++ b/tests/ts/mount/fstab-uuid2label
+@@ -43,12 +43,12 @@ ts_fstab_add "LABEL=$LABEL"
+ ts_udevadm_settle "$DEVICE" "LABEL" "UUID"
+
+ # variant A)
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "A) Cannot umount $DEVICE"
+
+ # variant B)
+-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "B) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "B) Cannot umount $DEVICE"
+
+--
+2.34.1
+
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread* [OE-core][kirkstone 12/12] gcc: AArch64 - Fix strict-align cpymem/setmem
2025-05-24 13:36 [OE-core][kirkstone 00/12] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-05-24 13:36 ` [OE-core][kirkstone 11/12] util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB Steve Sakoman
@ 2025-05-24 13:36 ` Steve Sakoman
11 siblings, 0 replies; 17+ messages in thread
From: Steve Sakoman @ 2025-05-24 13:36 UTC (permalink / raw)
To: openembedded-core
From: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
The cpymemdi/setmemdi implementation doesn't fully support strict alignment.
Block the expansion if the alignment is less than 16 with STRICT_ALIGNMENT.
Clean up the condition when to use MOPS. (PR103100)
The original patch for GCC 12 removed MOPS & SIMD conditionals for setmem and
cpymem expansions in aarch64.md file. However, this version for GCC 11 does not
backport the SIMD & MOPS-related changes and retains the conditions in aarch64.md
file to preserve correctness and compatibility with the GCC 11 backend.
All changes and outputs have been verified by the author.
Upstream-Status: Backport [https://gcc.gnu.org/cgit/gcc/commit/?id=b9d16d8361a9e3a82a2f21e759e760d235d43322]
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/gcc/gcc-11.5.inc | 1 +
...rch64-fix-strict-align-cpymem-setmem.patch | 45 +++++++++++++++++++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc/0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch
diff --git a/meta/recipes-devtools/gcc/gcc-11.5.inc b/meta/recipes-devtools/gcc/gcc-11.5.inc
index f17ec9da5c..1e8371b2bd 100644
--- a/meta/recipes-devtools/gcc/gcc-11.5.inc
+++ b/meta/recipes-devtools/gcc/gcc-11.5.inc
@@ -60,6 +60,7 @@ SRC_URI = "\
file://0029-Fix-install-path-of-linux64.h.patch \
file://0030-rust-recursion-limit.patch \
file://0031-gcc-sanitizers-fix.patch \
+ file://0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch \
file://0001-CVE-2021-42574.patch \
file://0002-CVE-2021-42574.patch \
file://0003-CVE-2021-42574.patch \
diff --git a/meta/recipes-devtools/gcc/gcc/0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch b/meta/recipes-devtools/gcc/gcc/0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch
new file mode 100644
index 0000000000..4c2d827799
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc/0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch
@@ -0,0 +1,45 @@
+gcc: AArch64 - Fix strict-align cpymem/setmem
+
+The cpymemdi/setmemdi implementation doesn't fully support strict alignment.
+Block the expansion if the alignment is less than 16 with STRICT_ALIGNMENT.
+Clean up the condition when to use MOPS.
+
+Upstream-Status: Backport [https://gcc.gnu.org/cgit/gcc/commit/?id=b9d16d8361a9e3a82a2f21e759e760d235d43322]
+
+Signed-off-by: Wilco Dijkstra <wilco.dijkstra@arm.com>
+Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
+---
+--- a/gcc/config/aarch64/aarch64.c 2025-05-08 20:40:10.969865898 -0700
++++ b/gcc/config/aarch64/aarch64.c 2025-05-13 23:11:07.006796627 -0700
+@@ -23621,14 +23621,15 @@
+ int mode_bits;
+ rtx dst = operands[0];
+ rtx src = operands[1];
++ unsigned align = UINTVAL (operands[3]);
+ rtx base;
+ machine_mode cur_mode = BLKmode;
+
+ /* Only expand fixed-size copies. */
+- if (!CONST_INT_P (operands[2]))
++ if (!CONST_INT_P (operands[2]) || (STRICT_ALIGNMENT && align < 16))
+ return false;
+
+- unsigned HOST_WIDE_INT size = INTVAL (operands[2]);
++ unsigned HOST_WIDE_INT size = UINTVAL (operands[2]);
+
+ /* Inline up to 256 bytes when optimizing for speed. */
+ unsigned HOST_WIDE_INT max_copy_size = 256;
+@@ -23750,11 +23751,12 @@
+ unsigned HOST_WIDE_INT len;
+ rtx dst = operands[0];
+ rtx val = operands[2], src;
++ unsigned align = UINTVAL (operands[3]);
+ rtx base;
+ machine_mode cur_mode = BLKmode, next_mode;
+
+ /* We can't do anything smart if the amount to copy is not constant. */
+- if (!CONST_INT_P (operands[1]))
++ if (!CONST_INT_P (operands[1]) || (STRICT_ALIGNMENT && align < 16))
+ return false;
+
+ bool speed_p = !optimize_function_for_size_p (cfun);
--
2.43.0
^ permalink raw reply related [flat|nested] 17+ messages in thread