* [OE-core][scarthgap 01/11] libarchive: fix CVE-2025-5914
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 02/11] libarchive: fix CVE-2025-5915 Steve Sakoman
` (9 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
A vulnerability has been identified in the libarchive library, specifically within the archiv
e_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultim
ately lead to a double-free condition. Exploiting a double-free vulnerability can result in m
emory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service
condition.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5914
Upstream-patch:
https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/libarchive/CVE-2025-5914.patch | 48 +++++++++++++++++++
.../libarchive/libarchive_3.7.9.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
new file mode 100644
index 0000000000..89022b38fd
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
@@ -0,0 +1,48 @@
+From 09685126fcec664e2b8ca595e1fc371bd494d209 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 11 May 2025 02:17:19 +0200
+Subject: [PATCH] rar: Fix double free with over 4 billion nodes (#2598)
+
+If a system is capable of handling 4 billion nodes in memory, a double
+free could occur because of an unsigned integer overflow leading to a
+realloc call with size argument of 0. Eventually, the client will
+release that memory again, triggering a double free.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+CVE: CVE-2025-5914
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 9d155c6..9eb3c84 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -335,8 +335,8 @@ struct rar
+ int found_first_header;
+ char has_endarc_header;
+ struct data_block_offsets *dbo;
+- unsigned int cursor;
+- unsigned int nodes;
++ size_t cursor;
++ size_t nodes;
+ char filename_must_match;
+
+ /* LZSS members */
+@@ -1186,7 +1186,7 @@ archive_read_format_rar_seek_data(struct archive_read *a, int64_t offset,
+ int whence)
+ {
+ int64_t client_offset, ret;
+- unsigned int i;
++ size_t i;
+ struct rar *rar = (struct rar *)(a->format->data);
+
+ if (rar->compression_method == COMPRESS_METHOD_STORE)
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 4dd6794bb1..c26a14e32e 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -31,6 +31,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv"
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://configurehack.patch \
+ file://CVE-2025-5914.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 02/11] libarchive: fix CVE-2025-5915
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 01/11] libarchive: fix CVE-2025-5914 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 03/11] libarchive: fix CVE-2025-5916 Steve Sakoman
` (8 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915
Upstream-patches:
https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++++++++
.../libarchive/libarchive_3.7.9.bb | 1 +
2 files changed, 218 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
new file mode 100644
index 0000000000..3c911ce9d9
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
@@ -0,0 +1,217 @@
+From a612bf62f86a6faa47bd57c52b94849f0a404d8c Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 11 May 2025 19:00:11 +0200
+Subject: [PATCH] rar: Fix heap-buffer-overflow (#2599)
+
+A filter block size must not be larger than the lzss window, which is
+defined
+by dictionary size, which in turn can be derived from unpacked file
+size.
+
+While at it, improve error messages and fix lzss window wrap around
+logic.
+
+Fixes https://github.com/libarchive/libarchive/issues/2565
+
+---------
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Co-authored-by: Tim Kientzle <kientzle@acm.org>
+
+CVE: CVE-2025-5915
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ Makefile.am | 2 +
+ libarchive/archive_read_support_format_rar.c | 17 ++++---
+ libarchive/test/CMakeLists.txt | 1 +
+ .../test/test_read_format_rar_overflow.c | 48 +++++++++++++++++++
+ .../test/test_read_format_rar_overflow.rar.uu | 11 +++++
+ 5 files changed, 72 insertions(+), 7 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.c
+ create mode 100644 libarchive/test/test_read_format_rar_overflow.rar.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index 4fafc41..9f3a6d1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -519,6 +519,7 @@ libarchive_test_SOURCES= \
+ libarchive/test/test_read_format_rar_encryption_header.c \
+ libarchive/test/test_read_format_rar_filter.c \
+ libarchive/test/test_read_format_rar_invalid1.c \
++ libarchive/test/test_read_format_rar_overflow.c \
+ libarchive/test/test_read_format_rar5.c \
+ libarchive/test/test_read_format_raw.c \
+ libarchive/test/test_read_format_tar.c \
+@@ -889,6 +890,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_rar_multivolume.part0003.rar.uu \
+ libarchive/test/test_read_format_rar_multivolume.part0004.rar.uu \
+ libarchive/test/test_read_format_rar_noeof.rar.uu \
++ libarchive/test/test_read_format_rar_overflow.rar.uu \
+ libarchive/test/test_read_format_rar_ppmd_lzss_conversion.rar.uu \
+ libarchive/test/test_read_format_rar_ppmd_use_after_free.rar.uu \
+ libarchive/test/test_read_format_rar_ppmd_use_after_free2.rar.uu \
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 9eb3c84..88eab62 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -451,7 +451,7 @@ static int read_filter(struct archive_read *, int64_t *);
+ static int rar_decode_byte(struct archive_read*, uint8_t *);
+ static int execute_filter(struct archive_read*, struct rar_filter *,
+ struct rar_virtual_machine *, size_t);
+-static int copy_from_lzss_window(struct archive_read *, void *, int64_t, int);
++static int copy_from_lzss_window(struct archive_read *, uint8_t *, int64_t, int);
+ static inline void vm_write_32(struct rar_virtual_machine*, size_t, uint32_t);
+ static inline uint32_t vm_read_32(struct rar_virtual_machine*, size_t);
+
+@@ -2929,7 +2929,7 @@ expand(struct archive_read *a, int64_t *end)
+ }
+
+ if ((symbol = read_next_symbol(a, &rar->maincode)) < 0)
+- return (ARCHIVE_FATAL);
++ goto bad_data;
+
+ if (symbol < 256)
+ {
+@@ -2956,14 +2956,14 @@ expand(struct archive_read *a, int64_t *end)
+ else
+ {
+ if (parse_codes(a) != ARCHIVE_OK)
+- return (ARCHIVE_FATAL);
++ goto bad_data;
+ continue;
+ }
+ }
+ else if(symbol==257)
+ {
+ if (!read_filter(a, end))
+- return (ARCHIVE_FATAL);
++ goto bad_data;
+ continue;
+ }
+ else if(symbol==258)
+@@ -3048,7 +3048,7 @@ expand(struct archive_read *a, int64_t *end)
+ {
+ if ((lowoffsetsymbol =
+ read_next_symbol(a, &rar->lowoffsetcode)) < 0)
+- return (ARCHIVE_FATAL);
++ goto bad_data;
+ if(lowoffsetsymbol == 16)
+ {
+ rar->numlowoffsetrepeats = 15;
+@@ -3096,7 +3096,7 @@ bad_data:
+ }
+
+ static int
+-copy_from_lzss_window(struct archive_read *a, void *buffer,
++copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
+ int64_t startpos, int length)
+ {
+ int windowoffs, firstpart;
+@@ -3111,7 +3111,7 @@ copy_from_lzss_window(struct archive_read *a, void *buffer,
+ }
+ if (firstpart < length) {
+ memcpy(buffer, &rar->lzss.window[windowoffs], firstpart);
+- memcpy(buffer, &rar->lzss.window[0], length - firstpart);
++ memcpy(buffer + firstpart, &rar->lzss.window[0], length - firstpart);
+ } else {
+ memcpy(buffer, &rar->lzss.window[windowoffs], length);
+ }
+@@ -3266,6 +3266,9 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
+ else
+ blocklength = prog ? prog->oldfilterlength : 0;
+
++ if (blocklength > rar->dictionary_size)
++ return 0;
++
+ registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
+ registers[4] = blocklength;
+ registers[5] = prog ? prog->usagecount : 0;
+diff --git a/libarchive/test/CMakeLists.txt b/libarchive/test/CMakeLists.txt
+index 5d7a5d2..59c5f5d 100644
+--- a/libarchive/test/CMakeLists.txt
++++ b/libarchive/test/CMakeLists.txt
+@@ -163,6 +163,7 @@ IF(ENABLE_TEST)
+ test_read_format_rar_encryption_partially.c
+ test_read_format_rar_invalid1.c
+ test_read_format_rar_filter.c
++ test_read_format_rar_overflow.c
+ test_read_format_rar5.c
+ test_read_format_raw.c
+ test_read_format_tar.c
+diff --git a/libarchive/test/test_read_format_rar_overflow.c b/libarchive/test/test_read_format_rar_overflow.c
+new file mode 100644
+index 0000000..b39ed6b
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar_overflow.c
+@@ -0,0 +1,48 @@
++/*-
++ * Copyright (c) 2003-2025 Tim Kientzle
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++#include "test.h"
++
++DEFINE_TEST(test_read_format_rar_overflow)
++{
++ struct archive *a;
++ struct archive_entry *ae;
++ const char reffile[] = "test_read_format_rar_overflow.rar";
++ const void *buff;
++ size_t size;
++ int64_t offset;
++
++ extract_reference_file(reffile);
++ assert((a = archive_read_new()) != NULL);
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, reffile, 1024));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae));
++ assertEqualInt(48, archive_entry_size(ae));
++ /* The next call should reproduce Issue #2565 */
++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_data_block(a, &buff, &size, &offset));
++
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
++ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
++}
+diff --git a/libarchive/test/test_read_format_rar_overflow.rar.uu b/libarchive/test/test_read_format_rar_overflow.rar.uu
+new file mode 100644
+index 0000000..48fd3fd
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar_overflow.rar.uu
+@@ -0,0 +1,11 @@
++begin 644 test_read_format_rar_overflow.rar
++M4F%R(1H'`,($=```(0`@`0``,`````(````````````S`0``````,`"_B%_:
++MZ?^[:7``?S!!,`@P,KB@,T@RN33)MTEB@5Z3<`DP`K35`.0P63@P<,Q&0?#,
++MA##,,",S,(@P,#,@##`&,#":(3`!,#"(`9HPS,,S13`P,#`P,*`PHPS,,S1A
++M,!,!,#","9H@S12D#$PP!C`P`*'F03":,,T8H`@\,/DPJS!/,"30,#`3N%LP
++MCQ6:S3"!,#LP22<-,$5%B"5B$S!)(&*>G#+@!`E`%0ODC])62=DO,)BYJX'P
++M=/LPZ3!!008?%S`P,#`P,#`P,#`P,#`P,#`P,#`P2$PP,#`P03!(,#`P,#`&
++M,`7),#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P,#`P
++-,#`P,#`P,#`P,#`P,```
++`
++end
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index c26a14e32e..42c91e641e 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -32,6 +32,7 @@ EXTRA_OECONF += "--enable-largefile --without-iconv"
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://configurehack.patch \
file://CVE-2025-5914.patch \
+ file://CVE-2025-5915.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 03/11] libarchive: fix CVE-2025-5916
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 01/11] libarchive: fix CVE-2025-5914 Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 02/11] libarchive: fix CVE-2025-5915 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 04/11] libarchive: fix CVE-2025-5917 Steve Sakoman
` (7 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
A vulnerability has been identified in the libarchive library. This flaw
involves an integer overflow that can be triggered when processing a Web
Archive (WARC) file that claims to have more than INT64_MAX - 4 content
bytes. An attacker could craft a malicious WARC archive to induce this
overflow, potentially leading to unpredictable program behavior, memory
corruption, or a denial-of-service condition within applications that
process such archives using libarchive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5916
Upstream-patch:
https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/libarchive/CVE-2025-5916.patch | 116 ++++++++++++++++++
.../libarchive/libarchive_3.7.9.bb | 1 +
2 files changed, 117 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
new file mode 100644
index 0000000000..a1dfc7b286
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
@@ -0,0 +1,116 @@
+From ef093729521fcf73fa4007d5ae77adfe4df42403 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Mon, 7 Apr 2025 00:24:13 +0200
+Subject: [PATCH] warc: Prevent signed integer overflow (#2568)
+
+If a warc archive claims to have more than INT64_MAX - 4 content bytes,
+the inevitable failure to skip all these bytes could lead to parsing
+data which should be ignored instead.
+
+The test case contains a conversation entry with that many bytes and if
+the entry is not properly skipped, the warc implementation would read
+the conversation data as a new file entry.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+CVE: CVE-2025-5916
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/ef093729521fcf73fa4007d5ae77adfe4df42403]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ Makefile.am | 1 +
+ libarchive/archive_read_support_format_warc.c | 7 ++++--
+ libarchive/test/test_read_format_warc.c | 24 +++++++++++++++++++
+ .../test_read_format_warc_incomplete.warc.uu | 10 ++++++++
+ 4 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_warc_incomplete.warc.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index 9f3a6d1..7627ec5 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -964,6 +964,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_ustar_filename_eucjp.tar.Z.uu \
+ libarchive/test/test_read_format_ustar_filename_koi8r.tar.Z.uu \
+ libarchive/test/test_read_format_warc.warc.uu \
++ libarchive/test/test_read_format_warc_incomplete.warc.uu \
+ libarchive/test/test_read_format_xar_doublelink.xar.uu \
+ libarchive/test/test_read_format_xar_duplicate_filename_node.xar.uu \
+ libarchive/test/test_read_format_zip.zip.uu \
+diff --git a/libarchive/archive_read_support_format_warc.c b/libarchive/archive_read_support_format_warc.c
+index fcec5bc..696f959 100644
+--- a/libarchive/archive_read_support_format_warc.c
++++ b/libarchive/archive_read_support_format_warc.c
+@@ -386,7 +386,8 @@ start_over:
+ case LAST_WT:
+ default:
+ /* consume the content and start over */
+- _warc_skip(a);
++ if (_warc_skip(a) < 0)
++ return (ARCHIVE_FATAL);
+ goto start_over;
+ }
+ return (ARCHIVE_OK);
+@@ -439,7 +440,9 @@ _warc_skip(struct archive_read *a)
+ {
+ struct warc_s *w = a->format->data;
+
+- __archive_read_consume(a, w->cntlen + 4U/*\r\n\r\n separator*/);
++ if (__archive_read_consume(a, w->cntlen) < 0 ||
++ __archive_read_consume(a, 4U/*\r\n\r\n separator*/) < 0)
++ return (ARCHIVE_FATAL);
+ w->cntlen = 0U;
+ w->cntoff = 0U;
+ return (ARCHIVE_OK);
+diff --git a/libarchive/test/test_read_format_warc.c b/libarchive/test/test_read_format_warc.c
+index 91e6dc6..745aabf 100644
+--- a/libarchive/test/test_read_format_warc.c
++++ b/libarchive/test/test_read_format_warc.c
+@@ -78,3 +78,27 @@ DEFINE_TEST(test_read_format_warc)
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+ }
++
++DEFINE_TEST(test_read_format_warc_incomplete)
++{
++ const char reffile[] = "test_read_format_warc_incomplete.warc";
++ struct archive_entry *ae;
++ struct archive *a;
++
++ extract_reference_file(reffile);
++ assert((a = archive_read_new()) != NULL);
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_filter_all(a));
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
++ assertEqualIntA(a, ARCHIVE_OK,
++ archive_read_open_filename(a, reffile, 10240));
++
++ /* Entry cannot be parsed */
++ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
++
++ /* Verify archive format. */
++ assertEqualIntA(a, ARCHIVE_FILTER_NONE, archive_filter_code(a, 0));
++
++ /* Verify closing and resource freeing */
++ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
++ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
++}
+diff --git a/libarchive/test/test_read_format_warc_incomplete.warc.uu b/libarchive/test/test_read_format_warc_incomplete.warc.uu
+new file mode 100644
+index 0000000..b91b97e
+--- /dev/null
++++ b/libarchive/test/test_read_format_warc_incomplete.warc.uu
+@@ -0,0 +1,10 @@
++begin 644 test_read_format_warc_incomplete.warc
++M5T%20R\Q+C`-"E=!4D,M5'EP93H@8V]N=F5R<VEO;@T*5T%20RU$871E.B`R
++M,#(U+3`S+3,P5#$U.C`P.C0P6@T*0V]N=&5N="U,96YG=&@Z(#DR,C,S-S(P
++M,S8X-30W-S4X,#<-"@T*5T%20R\Q+C`-"E=!4D,M5'EP93H@<F5S;W5R8V4-
++M"E=!4D,M5&%R9V5T+55223H@9FEL93HO+W)E861M92YT>'0-"E=!4D,M1&%T
++M93H@,C`R-2TP,RTS,%0Q-3HP,#HT,%H-"D-O;G1E;G0M5'EP93H@=&5X="]P
++M;&%I;@T*0V]N=&5N="U,96YG=&@Z(#,X#0H-"E1H92!R96%D;64N='AT('-H
++4;W5L9"!N;W0@8F4@=FES:6)L90H`
++`
++end
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 42c91e641e..250a3c016f 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://configurehack.patch \
file://CVE-2025-5914.patch \
file://CVE-2025-5915.patch \
+ file://CVE-2025-5916.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 04/11] libarchive: fix CVE-2025-5917
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 03/11] libarchive: fix CVE-2025-5916 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 05/11] libarchive: fix CVE-2025-5918 Steve Sakoman
` (6 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/libarchive/CVE-2025-5917.patch | 54 +++++++++++++++++++
.../libarchive/libarchive_3.7.9.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
new file mode 100644
index 0000000000..28f7b6023a
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
@@ -0,0 +1,54 @@
+From 7c02cde37a63580cd1859183fbbd2cf04a89be85 Mon Sep 17 00:00:00 2001
+From: Brian Campbell <Brian.Campbell@ed.ac.uk>
+Date: Sat, 26 Apr 2025 05:11:19 +0100
+Subject: [PATCH] Fix overflow in build_ustar_entry (#2588)
+
+The calculations for the suffix and prefix can increment the endpoint
+for a trailing slash. Hence the limits used should be one lower than the
+maximum number of bytes.
+
+Without this patch, when this happens for both the prefix and the
+suffix, we end up with 156 + 100 bytes, and the write of the null at the
+end will overflow the 256 byte buffer. This can be reproduced by running
+```
+mkdir -p foo/bar
+bsdtar cvf test.tar foo////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////bar
+```
+when bsdtar is compiled with Address Sanitiser, although I originally
+noticed this by accident with a genuine filename on a CHERI capability
+system, which faults immediately on the buffer overflow.
+
+CVE: CVE-2025-5917
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/7c02cde37a63580cd1859183fbbd2cf04a89be85]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ libarchive/archive_write_set_format_pax.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_write_set_format_pax.c b/libarchive/archive_write_set_format_pax.c
+index 6e35f70..b2ba959 100644
+--- a/libarchive/archive_write_set_format_pax.c
++++ b/libarchive/archive_write_set_format_pax.c
+@@ -1571,7 +1571,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ const char *filename, *filename_end;
+ char *p;
+ int need_slash = 0; /* Was there a trailing slash? */
+- size_t suffix_length = 99;
++ size_t suffix_length = 98; /* 99 - 1 for trailing slash */
+ size_t insert_length;
+
+ /* Length of additional dir element to be added. */
+@@ -1623,7 +1623,7 @@ build_ustar_entry_name(char *dest, const char *src, size_t src_length,
+ /* Step 2: Locate the "prefix" section of the dirname, including
+ * trailing '/'. */
+ prefix = src;
+- prefix_end = prefix + 155;
++ prefix_end = prefix + 154 /* 155 - 1 for trailing / */;
+ if (prefix_end > filename)
+ prefix_end = filename;
+ while (prefix_end > prefix && *prefix_end != '/')
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index 250a3c016f..bb8609dd09 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2025-5914.patch \
file://CVE-2025-5915.patch \
file://CVE-2025-5916.patch \
+ file://CVE-2025-5917.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 05/11] libarchive: fix CVE-2025-5918
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 04/11] libarchive: fix CVE-2025-5917 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 06/11] xwayland: fix CVE-2025-49175 Steve Sakoman
` (5 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
A vulnerability has been identified in the libarchive library. This flaw can be triggered whe
n file streams are piped into bsdtar, potentially allowing for reading past the end of the fi
le. This out-of-bounds read can lead to unintended consequences, including unpredictable prog
ram behavior, memory corruption, or a denial-of-service condition.
CVE-2025-5918-0001 is the dependent commit and CVE-2025-5918-0002 is the actual CVE fix.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5918
Upstream-patches:
https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c
https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/CVE-2025-5918-0001.patch | 326 ++++++++++++++++++
.../libarchive/CVE-2025-5918-0002.patch | 222 ++++++++++++
.../libarchive/libarchive_3.7.9.bb | 2 +
3 files changed, 550 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch
new file mode 100644
index 0000000000..b5586a46de
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch
@@ -0,0 +1,326 @@
+From 89b8c35ff4b5addc08a85bf5df02b407f8af1f6c Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 6 Apr 2025 22:34:37 +0200
+Subject: [PATCH] Improve lseek handling (#2564)
+
+The skip functions are limited to 1 GB for cases in which libarchive
+runs on a system with an off_t or long with 32 bits. This has negative
+impact on 64 bit systems.
+
+Instead, make sure that _all_ subsequent functions truncate properly.
+Some of them already did and some had regressions for over 10 years.
+
+Tests pass on Debian 12 i686 configured with --disable-largefile, i.e.
+running with an off_t with 32 bits.
+
+Casts added where needed to still pass MSVC builds.
+
+---------
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+CVE: CVE-2025-5918
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/89b8c35ff4b5addc08a85bf5df02b407f8af1f6c]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ libarchive/archive_read.c | 6 ----
+ libarchive/archive_read_disk_posix.c | 3 +-
+ libarchive/archive_read_open_fd.c | 29 +++++++++++++------
+ libarchive/archive_read_open_file.c | 35 ++++++++++++-----------
+ libarchive/archive_read_open_filename.c | 37 ++++++++++++++++++-------
+ libarchive/test/read_open_memory.c | 2 +-
+ libarchive/test/test_sparse_basic.c | 6 ++--
+ libarchive/test/test_tar_large.c | 2 +-
+ 8 files changed, 75 insertions(+), 45 deletions(-)
+
+diff --git a/libarchive/archive_read.c b/libarchive/archive_read.c
+index 822c534..50db870 100644
+--- a/libarchive/archive_read.c
++++ b/libarchive/archive_read.c
+@@ -176,15 +176,9 @@ client_skip_proxy(struct archive_read_filter *self, int64_t request)
+ return 0;
+
+ if (self->archive->client.skipper != NULL) {
+- /* Seek requests over 1GiB are broken down into
+- * multiple seeks. This avoids overflows when the
+- * requests get passed through 32-bit arguments. */
+- int64_t skip_limit = (int64_t)1 << 30;
+ int64_t total = 0;
+ for (;;) {
+ int64_t get, ask = request;
+- if (ask > skip_limit)
+- ask = skip_limit;
+ get = (self->archive->client.skipper)
+ (&self->archive->archive, self->data, ask);
+ total += get;
+diff --git a/libarchive/archive_read_disk_posix.c b/libarchive/archive_read_disk_posix.c
+index 09965eb..4839d62 100644
+--- a/libarchive/archive_read_disk_posix.c
++++ b/libarchive/archive_read_disk_posix.c
+@@ -778,7 +778,8 @@ _archive_read_data_block(struct archive *_a, const void **buff,
+ */
+ if (t->current_sparse->offset > t->entry_total) {
+ if (lseek(t->entry_fd,
+- (off_t)t->current_sparse->offset, SEEK_SET) < 0) {
++ (off_t)t->current_sparse->offset, SEEK_SET) !=
++ t->current_sparse->offset) {
+ archive_set_error(&a->archive, errno, "Seek error");
+ r = ARCHIVE_FATAL;
+ a->archive.state = ARCHIVE_STATE_FATAL;
+diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c
+index debfde2..3fd536d 100644
+--- a/libarchive/archive_read_open_fd.c
++++ b/libarchive/archive_read_open_fd.c
+@@ -131,7 +131,7 @@ static int64_t
+ file_skip(struct archive *a, void *client_data, int64_t request)
+ {
+ struct read_fd_data *mine = (struct read_fd_data *)client_data;
+- int64_t skip = request;
++ off_t skip = (off_t)request;
+ int64_t old_offset, new_offset;
+ int skip_bits = sizeof(skip) * 8 - 1; /* off_t is a signed type. */
+
+@@ -140,15 +140,15 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+
+ /* Reduce a request that would overflow the 'skip' variable. */
+ if (sizeof(request) > sizeof(skip)) {
+- int64_t max_skip =
++ const int64_t max_skip =
+ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
+ if (request > max_skip)
+- skip = max_skip;
++ skip = (off_t)max_skip;
+ }
+
+- /* Reduce request to the next smallest multiple of block_size */
+- request = (request / mine->block_size) * mine->block_size;
+- if (request == 0)
++ /* Reduce 'skip' to the next smallest multiple of block_size */
++ skip = (off_t)(((int64_t)skip / mine->block_size) * mine->block_size);
++ if (skip == 0)
+ return (0);
+
+ if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) &&
+@@ -178,11 +178,24 @@ static int64_t
+ file_seek(struct archive *a, void *client_data, int64_t request, int whence)
+ {
+ struct read_fd_data *mine = (struct read_fd_data *)client_data;
++ off_t seek = (off_t)request;
+ int64_t r;
++ int seek_bits = sizeof(seek) * 8 - 1; /* off_t is a signed type. */
+
+ /* We use off_t here because lseek() is declared that way. */
+- /* See above for notes about when off_t is less than 64 bits. */
+- r = lseek(mine->fd, request, whence);
++
++ /* Reduce a request that would overflow the 'seek' variable. */
++ if (sizeof(request) > sizeof(seek)) {
++ const int64_t max_seek =
++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1;
++ const int64_t min_seek = ~max_seek;
++ if (request > max_seek)
++ seek = (off_t)max_seek;
++ else if (request < min_seek)
++ seek = (off_t)min_seek;
++ }
++
++ r = lseek(mine->fd, seek, whence);
+ if (r >= 0)
+ return r;
+
+diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c
+index ecd56dc..2829b9a 100644
+--- a/libarchive/archive_read_open_file.c
++++ b/libarchive/archive_read_open_file.c
+@@ -145,7 +145,7 @@ FILE_skip(struct archive *a, void *client_data, int64_t request)
+
+ /* If request is too big for a long or an off_t, reduce it. */
+ if (sizeof(request) > sizeof(skip)) {
+- int64_t max_skip =
++ const int64_t max_skip =
+ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
+ if (request > max_skip)
+ skip = max_skip;
+@@ -176,39 +176,42 @@ FILE_seek(struct archive *a, void *client_data, int64_t request, int whence)
+ {
+ struct read_FILE_data *mine = (struct read_FILE_data *)client_data;
+ #if HAVE__FSEEKI64
+- int64_t skip = request;
++ int64_t seek = request;
+ #elif HAVE_FSEEKO
+- off_t skip = (off_t)request;
++ off_t seek = (off_t)request;
+ #else
+- long skip = (long)request;
++ long seek = (long)request;
+ #endif
+- int skip_bits = sizeof(skip) * 8 - 1;
++ int seek_bits = sizeof(seek) * 8 - 1;
+ (void)a; /* UNUSED */
+
+- /* If request is too big for a long or an off_t, reduce it. */
+- if (sizeof(request) > sizeof(skip)) {
+- int64_t max_skip =
+- (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
+- if (request > max_skip)
+- skip = max_skip;
++ /* Reduce a request that would overflow the 'seek' variable. */
++ if (sizeof(request) > sizeof(seek)) {
++ const int64_t max_seek =
++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1;
++ const int64_t min_seek = ~max_seek;
++ if (request > max_seek)
++ seek = max_seek;
++ else if (request < min_seek)
++ seek = min_seek;
+ }
+
+ #ifdef __ANDROID__
+ /* Newer Android versions have fseeko...to meditate. */
+- int64_t ret = lseek(fileno(mine->f), skip, whence);
++ int64_t ret = lseek(fileno(mine->f), seek, whence);
+ if (ret >= 0) {
+ return ret;
+ }
+ #elif HAVE__FSEEKI64
+- if (_fseeki64(mine->f, skip, whence) == 0) {
++ if (_fseeki64(mine->f, seek, whence) == 0) {
+ return _ftelli64(mine->f);
+ }
+ #elif HAVE_FSEEKO
+- if (fseeko(mine->f, skip, whence) == 0) {
++ if (fseeko(mine->f, seek, whence) == 0) {
+ return ftello(mine->f);
+ }
+ #else
+- if (fseek(mine->f, skip, whence) == 0) {
++ if (fseek(mine->f, seek, whence) == 0) {
+ return ftell(mine->f);
+ }
+ #endif
+@@ -226,4 +229,4 @@ FILE_close(struct archive *a, void *client_data)
+ free(mine->buffer);
+ free(mine);
+ return (ARCHIVE_OK);
+-}
+\ No newline at end of file
++}
+diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c
+index 05f0ffb..3894b15 100644
+--- a/libarchive/archive_read_open_filename.c
++++ b/libarchive/archive_read_open_filename.c
+@@ -479,20 +479,24 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request)
+ struct read_file_data *mine = (struct read_file_data *)client_data;
+ #if defined(_WIN32) && !defined(__CYGWIN__)
+ /* We use _lseeki64() on Windows. */
+- int64_t old_offset, new_offset;
++ int64_t old_offset, new_offset, skip = request;
+ #else
+- off_t old_offset, new_offset;
++ off_t old_offset, new_offset, skip = (off_t)request;
+ #endif
++ int skip_bits = sizeof(skip) * 8 - 1;
+
+ /* We use off_t here because lseek() is declared that way. */
+
+- /* TODO: Deal with case where off_t isn't 64 bits.
+- * This shouldn't be a problem on Linux or other POSIX
+- * systems, since the configuration logic for libarchive
+- * tries to obtain a 64-bit off_t.
+- */
++ /* Reduce a request that would overflow the 'skip' variable. */
++ if (sizeof(request) > sizeof(skip)) {
++ const int64_t max_skip =
++ (((int64_t)1 << (skip_bits - 1)) - 1) * 2 + 1;
++ if (request > max_skip)
++ skip = max_skip;
++ }
++
+ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 &&
+- (new_offset = lseek(mine->fd, request, SEEK_CUR)) >= 0)
++ (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
+ return (new_offset - old_offset);
+
+ /* If lseek() fails, don't bother trying again. */
+@@ -540,11 +544,24 @@ static int64_t
+ file_seek(struct archive *a, void *client_data, int64_t request, int whence)
+ {
+ struct read_file_data *mine = (struct read_file_data *)client_data;
++ off_t seek = (off_t)request;
+ int64_t r;
++ int seek_bits = sizeof(seek) * 8 - 1;
+
+ /* We use off_t here because lseek() is declared that way. */
+- /* See above for notes about when off_t is less than 64 bits. */
+- r = lseek(mine->fd, request, whence);
++
++ /* Reduce a request that would overflow the 'seek' variable. */
++ if (sizeof(request) > sizeof(seek)) {
++ const int64_t max_seek =
++ (((int64_t)1 << (seek_bits - 1)) - 1) * 2 + 1;
++ const int64_t min_seek = ~max_seek;
++ if (request > max_seek)
++ seek = (off_t)max_seek;
++ else if (request < min_seek)
++ seek = (off_t)min_seek;
++ }
++
++ r = lseek(mine->fd, seek, whence);
+ if (r >= 0)
+ return r;
+
+diff --git a/libarchive/test/read_open_memory.c b/libarchive/test/read_open_memory.c
+index 6d2468c..9262ab9 100644
+--- a/libarchive/test/read_open_memory.c
++++ b/libarchive/test/read_open_memory.c
+@@ -167,7 +167,7 @@ memory_read_skip(struct archive *a, void *client_data, int64_t skip)
+
+ (void)a; /* UNUSED */
+ /* We can't skip by more than is available. */
+- if ((off_t)skip > (off_t)(mine->end - mine->p))
++ if (skip > mine->end - mine->p)
+ skip = mine->end - mine->p;
+ /* Always do small skips by prime amounts. */
+ if (skip > 71)
+diff --git a/libarchive/test/test_sparse_basic.c b/libarchive/test/test_sparse_basic.c
+index 23cde56..93710cb 100644
+--- a/libarchive/test/test_sparse_basic.c
++++ b/libarchive/test/test_sparse_basic.c
+@@ -608,7 +608,8 @@ DEFINE_TEST(test_sparse_basic)
+ verify_sparse_file(a, "file2", sparse_file2, 20);
+ /* Encoded non sparse; expect a data block but no sparse entries. */
+ verify_sparse_file(a, "file3", sparse_file3, 0);
+- verify_sparse_file(a, "file4", sparse_file4, 2);
++ if (sizeof(off_t) > 4)
++ verify_sparse_file(a, "file4", sparse_file4, 2);
+
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+
+@@ -635,7 +636,8 @@ DEFINE_TEST(test_sparse_basic)
+ verify_sparse_file(a, "file1", sparse_file1, 0);
+ verify_sparse_file(a, "file2", sparse_file2, 0);
+ verify_sparse_file(a, "file3", sparse_file3, 0);
+- verify_sparse_file(a, "file4", sparse_file4, 0);
++ if (sizeof(off_t) > 4)
++ verify_sparse_file(a, "file4", sparse_file4, 0);
+
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+
+diff --git a/libarchive/test/test_tar_large.c b/libarchive/test/test_tar_large.c
+index c1f3791..1cde321 100644
+--- a/libarchive/test/test_tar_large.c
++++ b/libarchive/test/test_tar_large.c
+@@ -175,7 +175,7 @@ memory_read_skip(struct archive *a, void *_private, int64_t skip)
+ }
+ if (private->filebytes > 0) {
+ if (private->filebytes < skip)
+- skip = (off_t)private->filebytes;
++ skip = private->filebytes;
+ private->filebytes -= skip;
+ } else {
+ skip = 0;
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch
new file mode 100644
index 0000000000..a5fb33c8f1
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch
@@ -0,0 +1,222 @@
+From dcbf1e0ededa95849f098d154a25876ed5754bcf Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Tue, 15 Apr 2025 06:02:17 +0200
+Subject: [PATCH] Do not skip past EOF while reading (#2584)
+
+Make sure to not skip past end of file for better error messages. One
+such example is now visible with rar testsuite. You can see the
+difference already by an actually not useless use of cat:
+
+```
+$ cat .../test_read_format_rar_ppmd_use_after_free.rar | bsdtar -t
+bsdtar: Archive entry has empty or unreadable filename ... skipping.
+bsdtar: Archive entry has empty or unreadable filename ... skipping.
+bsdtar: Truncated input file (needed 119 bytes, only 0 available)
+bsdtar: Error exit delayed from previous errors.
+```
+
+compared to
+
+```
+$ bsdtar -tf .../test_read_format_rar_ppmd_use_after_free.rar
+bsdtar: Archive entry has empty or unreadable filename ... skipping.
+bsdtar: Archive entry has empty or unreadable filename ... skipping.
+bsdtar: Error exit delayed from previous errors.
+```
+
+Since the former cannot lseek, the error is a different one
+(ARCHIVE_FATAL vs ARCHIVE_EOF). The piped version states explicitly that
+truncation occurred, while the latter states EOF because the skip past
+the end of file was successful.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+CVE: CVE-2025-5918
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/dcbf1e0ededa95849f098d154a25876ed5754bcf]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ libarchive/archive_read_open_fd.c | 13 +++++++---
+ libarchive/archive_read_open_file.c | 33 +++++++++++++++++++------
+ libarchive/archive_read_open_filename.c | 16 +++++++++---
+ libarchive/test/test_read_format_rar.c | 6 ++---
+ 4 files changed, 50 insertions(+), 18 deletions(-)
+
+diff --git a/libarchive/archive_read_open_fd.c b/libarchive/archive_read_open_fd.c
+index 3fd536d..dc7c9e5 100644
+--- a/libarchive/archive_read_open_fd.c
++++ b/libarchive/archive_read_open_fd.c
+@@ -52,6 +52,7 @@
+ struct read_fd_data {
+ int fd;
+ size_t block_size;
++ int64_t size;
+ char use_lseek;
+ void *buffer;
+ };
+@@ -95,6 +96,7 @@ archive_read_open_fd(struct archive *a, int fd, size_t block_size)
+ if (S_ISREG(st.st_mode)) {
+ archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ mine->use_lseek = 1;
++ mine->size = st.st_size;
+ }
+ #if defined(__CYGWIN__) || defined(_WIN32)
+ setmode(mine->fd, O_BINARY);
+@@ -151,9 +153,14 @@ file_skip(struct archive *a, void *client_data, int64_t request)
+ if (skip == 0)
+ return (0);
+
+- if (((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) &&
+- ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0))
+- return (new_offset - old_offset);
++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++ if (old_offset >= mine->size ||
++ skip > mine->size - old_offset) {
++ /* Do not seek past end of file. */
++ errno = ESPIPE;
++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++ return (new_offset - old_offset);
++ }
+
+ /* If seek failed once, it will probably fail again. */
+ mine->use_lseek = 0;
+diff --git a/libarchive/archive_read_open_file.c b/libarchive/archive_read_open_file.c
+index 2829b9a..6ed18a0 100644
+--- a/libarchive/archive_read_open_file.c
++++ b/libarchive/archive_read_open_file.c
+@@ -52,6 +52,7 @@
+ struct read_FILE_data {
+ FILE *f;
+ size_t block_size;
++ int64_t size;
+ void *buffer;
+ char can_skip;
+ };
+@@ -91,6 +92,7 @@ archive_read_open_FILE(struct archive *a, FILE *f)
+ archive_read_extract_set_skip_file(a, st.st_dev, st.st_ino);
+ /* Enable the seek optimization only for regular files. */
+ mine->can_skip = 1;
++ mine->size = st.st_size;
+ }
+
+ #if defined(__CYGWIN__) || defined(_WIN32)
+@@ -130,6 +132,7 @@ FILE_skip(struct archive *a, void *client_data, int64_t request)
+ #else
+ long skip = (long)request;
+ #endif
++ int64_t old_offset, new_offset;
+ int skip_bits = sizeof(skip) * 8 - 1;
+
+ (void)a; /* UNUSED */
+@@ -153,19 +156,33 @@ FILE_skip(struct archive *a, void *client_data, int64_t request)
+
+ #ifdef __ANDROID__
+ /* fileno() isn't safe on all platforms ... see above. */
+- if (lseek(fileno(mine->f), skip, SEEK_CUR) < 0)
++ old_offset = lseek(fileno(mine->f), 0, SEEK_CUR);
+ #elif HAVE__FSEEKI64
+- if (_fseeki64(mine->f, skip, SEEK_CUR) != 0)
++ old_offset = _ftelli64(mine->f);
+ #elif HAVE_FSEEKO
+- if (fseeko(mine->f, skip, SEEK_CUR) != 0)
++ old_offset = ftello(mine->f);
+ #else
+- if (fseek(mine->f, skip, SEEK_CUR) != 0)
++ old_offset = ftell(mine->f);
+ #endif
+- {
+- mine->can_skip = 0;
+- return (0);
++ if (old_offset >= 0) {
++ if (old_offset < mine->size &&
++ skip <= mine->size - old_offset) {
++#ifdef __ANDROID__
++ new_offset = lseek(fileno(mine->f), skip, SEEK_CUR);
++#elif HAVE__FSEEKI64
++ new_offset = _fseeki64(mine->f, skip, SEEK_CUR);
++#elif HAVE_FSEEKO
++ new_offset = fseeko(mine->f, skip, SEEK_CUR);
++#else
++ new_offset = fseek(mine->f, skip, SEEK_CUR);
++#endif
++ if (new_offset >= 0)
++ return (new_offset - old_offset);
++ }
+ }
+- return (request);
++
++ mine->can_skip = 0;
++ return (0);
+ }
+
+ /*
+diff --git a/libarchive/archive_read_open_filename.c b/libarchive/archive_read_open_filename.c
+index 3894b15..5f5b3f1 100644
+--- a/libarchive/archive_read_open_filename.c
++++ b/libarchive/archive_read_open_filename.c
+@@ -74,6 +74,7 @@ struct read_file_data {
+ size_t block_size;
+ void *buffer;
+ mode_t st_mode; /* Mode bits for opened file. */
++ int64_t size;
+ char use_lseek;
+ enum fnt_e { FNT_STDIN, FNT_MBS, FNT_WCS } filename_type;
+ union {
+@@ -400,8 +401,10 @@ file_open(struct archive *a, void *client_data)
+ mine->st_mode = st.st_mode;
+
+ /* Disk-like inputs can use lseek(). */
+- if (is_disk_like)
++ if (is_disk_like) {
+ mine->use_lseek = 1;
++ mine->size = st.st_size;
++ }
+
+ return (ARCHIVE_OK);
+ fail:
+@@ -495,9 +498,14 @@ file_skip_lseek(struct archive *a, void *client_data, int64_t request)
+ skip = max_skip;
+ }
+
+- if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0 &&
+- (new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
+- return (new_offset - old_offset);
++ if ((old_offset = lseek(mine->fd, 0, SEEK_CUR)) >= 0) {
++ if (old_offset >= mine->size ||
++ skip > mine->size - old_offset) {
++ /* Do not seek past end of file. */
++ errno = ESPIPE;
++ } else if ((new_offset = lseek(mine->fd, skip, SEEK_CUR)) >= 0)
++ return (new_offset - old_offset);
++ }
+
+ /* If lseek() fails, don't bother trying again. */
+ mine->use_lseek = 0;
+diff --git a/libarchive/test/test_read_format_rar.c b/libarchive/test/test_read_format_rar.c
+index dce567a..fce44a9 100644
+--- a/libarchive/test/test_read_format_rar.c
++++ b/libarchive/test/test_read_format_rar.c
+@@ -3829,8 +3829,8 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free)
+ assertA(ARCHIVE_OK == archive_read_next_header(a, &ae));
+ assertA(archive_read_data(a, buf, sizeof(buf)) <= 0);
+
+- /* Test EOF */
+- assertA(1 == archive_read_next_header(a, &ae));
++ /* Test for truncation */
++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae));
+
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+@@ -3856,7 +3856,7 @@ DEFINE_TEST(test_read_format_rar_ppmd_use_after_free2)
+ assertA(archive_read_data(a, buf, sizeof(buf)) <= 0);
+
+ /* Test EOF */
+- assertA(1 == archive_read_next_header(a, &ae));
++ assertA(ARCHIVE_FATAL == archive_read_next_header(a, &ae));
+
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+--
+2.40.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
index bb8609dd09..f08673ea3b 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb
@@ -35,6 +35,8 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2025-5915.patch \
file://CVE-2025-5916.patch \
file://CVE-2025-5917.patch \
+ file://CVE-2025-5918-0001.patch \
+ file://CVE-2025-5918-0002.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 06/11] xwayland: fix CVE-2025-49175
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 05/11] libarchive: fix CVE-2025-5918 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 07/11] xwayland: fix CVE-2025-49176 Steve Sakoman
` (4 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X Rendering extension's handling of animated cursors.
If a client provides no cursors, the server assumes at least one is present,
leading to an out-of-bounds read and potential crash.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
new file mode 100644
index 0000000000..bfb37fcea0
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
@@ -0,0 +1,92 @@
+From 0885e0b26225c90534642fe911632ec0779eebee Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 28 Mar 2025 09:43:52 +0100
+Subject: [PATCH] render: Avoid 0 or less animated cursors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Animated cursors use a series of cursors that the client can set.
+
+By default, the Xserver assumes at least one cursor is specified
+while a client may actually pass no cursor at all.
+
+That causes an out-of-bound read creating the animated cursor and a
+crash of the Xserver:
+
+ | Invalid read of size 8
+ | at 0x5323F4: AnimCursorCreate (animcur.c:325)
+ | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
+ | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
+ | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ |
+ | Invalid read of size 2
+ | at 0x5323F7: AnimCursorCreate (animcur.c:325)
+ | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ | Address 0x8 is not stack'd, malloc'd or (recently) free'd
+
+To avoid the issue, check the number of cursors specified and return a
+BadValue error in both the proc handler (early) and the animated cursor
+creation (as this is a public function) if there is 0 or less cursor.
+
+CVE-2025-49175
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49175
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ render/animcur.c | 3 +++
+ render/render.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/render/animcur.c b/render/animcur.c
+index ef27bda..77942d8 100644
+--- a/render/animcur.c
++++ b/render/animcur.c
+@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
+ int rc = BadAlloc, i;
+ AnimCurPtr ac;
+
++ if (ncursor <= 0)
++ return BadValue;
++
+ for (i = 0; i < screenInfo.numScreens; i++)
+ if (!GetAnimCurScreen(screenInfo.screens[i]))
+ return BadImplementation;
+diff --git a/render/render.c b/render/render.c
+index 5bc2a20..a8c2da0 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
+ ncursor =
+ (client->req_len -
+ (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
++ if (ncursor <= 0)
++ return BadValue;
+ cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+ if (!cursors)
+ return BadAlloc;
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 0265366393..b9b4aa1a6a 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-26601-2.patch \
file://CVE-2025-26601-3.patch \
file://CVE-2025-26601-4.patch \
+ file://CVE-2025-49175.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 07/11] xwayland: fix CVE-2025-49176
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 06/11] xwayland: fix CVE-2025-49175 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 08/11] xwayland: fix CVE-2025-49177 Steve Sakoman
` (3 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the Big Requests extension. The request length is multiplied
by 4 before checking against the maximum allowed size, potentially causing an
integer overflow and bypassing the size check.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/CVE-2025-49176-0001.patch | 93 +++++++++++++++++++
.../xwayland/CVE-2025-49176-0002.patch | 38 ++++++++
.../xwayland/xwayland_23.2.5.bb | 2 +
3 files changed, 133 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
new file mode 100644
index 0000000000..fd3b1d936b
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
@@ -0,0 +1,93 @@
+From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 7 Apr 2025 16:13:34 +0200
+Subject: [PATCH] os: Do not overflow the integer size with BigRequest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The BigRequest extension allows requests larger than the 16-bit length
+limit.
+
+It uses integers for the request length and checks for the size not to
+exceed the maxBigRequestSize limit, but does so after translating the
+length to integer by multiplying the given size in bytes by 4.
+
+In doing so, it might overflow the integer size limit before actually
+checking for the overflow, defeating the purpose of the test.
+
+To avoid the issue, make sure to check that the request size does not
+overflow the maxBigRequestSize limit prior to any conversion.
+
+The caller Dispatch() function however expects the return value to be in
+bytes, so we cannot just return the converted value in case of error, as
+that would also overflow the integer size.
+
+To preserve the existing API, we use a negative value for the X11 error
+code BadLength as the function only return positive values, 0 or -1 and
+update the caller Dispatch() function to take that case into account to
+return the error code to the offending client.
+
+CVE-2025-49176
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49176
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ dix/dispatch.c | 9 +++++----
+ os/io.c | 4 ++++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 9e98d54..20473f1 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -513,9 +513,10 @@ Dispatch(void)
+
+ /* now, finally, deal with client requests */
+ result = ReadRequestFromClient(client);
+- if (result <= 0) {
+- if (result < 0)
+- CloseDownClient(client);
++ if (result == 0)
++ break;
++ else if (result == -1) {
++ CloseDownClient(client);
+ break;
+ }
+
+@@ -536,7 +537,7 @@ Dispatch(void)
+ client->index,
+ client->requestBuffer);
+ #endif
+- if (result > (maxBigRequestSize << 2))
++ if (result < 0 || result > (maxBigRequestSize << 2))
+ result = BadLength;
+ else {
+ result = XaceHookDispatch(client, client->majorOp);
+diff --git a/os/io.c b/os/io.c
+index 841a0ee..aeece86 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2) {
++ /* Check for potential integer overflow */
++ return -(BadLength);
++ }
+ needed <<= 2; /* needed is in bytes now */
+ }
+ if (gotnow < needed) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
new file mode 100644
index 0000000000..6d7df79111
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
@@ -0,0 +1,38 @@
+From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
+
+CVE: CVE-2025-49176
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index aeece86..67465f9 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2)
++ return -(BadLength);
+ needed <<= 2;
+ }
+ if (gotnow < needed) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index b9b4aa1a6a..72396dcd40 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -25,6 +25,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-26601-3.patch \
file://CVE-2025-26601-4.patch \
file://CVE-2025-49175.patch \
+ file://CVE-2025-49176-0001.patch \
+ file://CVE-2025-49176-0002.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 08/11] xwayland: fix CVE-2025-49177
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 07/11] xwayland: fix CVE-2025-49176 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 09/11] xwayland: fix CVE-2025-49178 Steve Sakoman
` (2 subsequent siblings)
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler
does not validate the request length, allowing a client to read unintended memory
from previous requests
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
new file mode 100644
index 0000000000..56ae1de800
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
@@ -0,0 +1,55 @@
+From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:05:36 +0200
+Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode
+
+The handler of XFixesSetClientDisconnectMode does not check the client
+request length.
+
+A client could send a shorter request and read data from a former
+request.
+
+Fix the issue by checking the request size matches.
+
+CVE-2025-49177
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49177
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ xfixes/disconnect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c
+index 28aac45..d6da1f9 100644
+--- a/xfixes/disconnect.c
++++ b/xfixes/disconnect.c
+@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client)
+ ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
+
+ REQUEST(xXFixesSetClientDisconnectModeReq);
++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+
+ pDisconnect->disconnect_mode = stuff->disconnect_mode;
+
+@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client)
+
+ swaps(&stuff->length);
+
+- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+
+ swapl(&stuff->disconnect_mode);
+
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 72396dcd40..5ed8ca0365 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49175.patch \
file://CVE-2025-49176-0001.patch \
file://CVE-2025-49176-0002.patch \
+ file://CVE-2025-49177.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 09/11] xwayland: fix CVE-2025-49178
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 08/11] xwayland: fix CVE-2025-49177 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 10/11] xwayland: fix CVE-2025-49179 Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 11/11] xwayland: fix CVE-2025-49180 Steve Sakoman
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X server's request handling. Non-zero 'bytes to ignore'
in a client's request can cause the server to skip processing another client's
request, potentially leading to a denial of service.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49178.patch | 50 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
new file mode 100644
index 0000000000..5ef2fea1c9
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
@@ -0,0 +1,50 @@
+From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:46:03 +0200
+Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
+
+When reading requests from the clients, the input buffer might be shared
+and used between different clients.
+
+If a given client sends a full request with non-zero bytes to ignore,
+the bytes to ignore may still be non-zero even though the request is
+full, in which case the buffer could be shared with another client who's
+request will not be processed because of those bytes to ignore, leading
+to a possible hang of the other client request.
+
+To avoid the issue, make sure we have zero bytes to ignore left in the
+input request when sharing the input buffer with another client.
+
+CVE-2025-49178
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49178
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/os/io.c b/os/io.c
+index 67465f9..f92a40e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
+ */
+
+ gotnow -= needed;
+- if (!gotnow)
++ if (!gotnow && !oci->ignoreBytes)
+ AvailableInput = oc;
+ if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 5ed8ca0365..e150961882 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49176-0001.patch \
file://CVE-2025-49176-0002.patch \
file://CVE-2025-49177.patch \
+ file://CVE-2025-49178.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 10/11] xwayland: fix CVE-2025-49179
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 09/11] xwayland: fix CVE-2025-49178 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
2025-07-04 15:10 ` [OE-core][scarthgap 11/11] xwayland: fix CVE-2025-49180 Steve Sakoman
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients
function does not check for an integer overflow when computing request length,
which allows a client to bypass length checks.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
new file mode 100644
index 0000000000..48c7ed8c13
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
@@ -0,0 +1,69 @@
+From 9d205323894af62b9726fcbaeb5fc69b3c9f61ba Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 11:47:15 +0200
+Subject: [PATCH] record: Check for overflow in
+ RecordSanityCheckRegisterClients()
+
+The RecordSanityCheckRegisterClients() checks for the request length,
+but does not check for integer overflow.
+
+A client might send a very large value for either the number of clients
+or the number of protocol ranges that will cause an integer overflow in
+the request length computation, defeating the check for request length.
+
+To avoid the issue, explicitly check the number of clients against the
+limit of clients (which is much lower than an maximum integer value) and
+the number of protocol ranges (multiplied by the record length) do not
+exceed the maximum integer value.
+
+This way, we ensure that the final computation for the request length
+will not overflow the maximum integer limit.
+
+CVE-2025-49179
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2026>
+
+CVE: CVE-2025-49179
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9d205323894af62b9726fcbaeb5fc69b3c9f61ba]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ record/record.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/record/record.c b/record/record.c
+index e123867..018e53f 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
+ #include "inputstr.h"
+ #include "eventconvert.h"
+ #include "scrnintstr.h"
++#include "opaque.h"
+
+ #include <stdio.h>
+ #include <assert.h>
+@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
+ int i;
+ XID recordingClient;
+
++ /* LimitClients is 2048 at max, way less that MAXINT */
++ if (stuff->nClients > LimitClients)
++ return BadValue;
++
++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
++ return BadValue;
++
+ if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
+ 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
+ return BadLength;
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index e150961882..490e1ca05f 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49176-0002.patch \
file://CVE-2025-49177.patch \
file://CVE-2025-49178.patch \
+ file://CVE-2025-49179.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread* [OE-core][scarthgap 11/11] xwayland: fix CVE-2025-49180
2025-07-04 15:10 [OE-core][scarthgap 00/11] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-07-04 15:10 ` [OE-core][scarthgap 10/11] xwayland: fix CVE-2025-49179 Steve Sakoman
@ 2025-07-04 15:10 ` Steve Sakoman
10 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the RandR extension, where the RRChangeProviderProperty function
does not properly validate input. This issue leads to an integer overflow when
computing the total size to allocate.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49180.patch | 45 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
new file mode 100644
index 0000000000..51939acf63
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
@@ -0,0 +1,45 @@
+From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 20 May 2025 15:18:19 +0200
+Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
+
+A client might send a request causing an integer overflow when computing
+the total size to allocate in RRChangeProviderProperty().
+
+To avoid the issue, check that total length in bytes won't exceed the
+maximum integer value.
+
+CVE-2025-49180
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49180
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ randr/rrproviderproperty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index 90c5a9a..0aa35ad 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
+
+ if (mode == PropModeReplace || len > 0) {
+ void *new_data = NULL, *old_data = NULL;
+-
++ if (total_len > MAXINT / size_in_bytes)
++ return BadValue;
+ total_size = total_len * size_in_bytes;
+ new_value.data = (void *) malloc(total_size);
+ if (!new_value.data && total_size) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 490e1ca05f..49e35ca442 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49177.patch \
file://CVE-2025-49178.patch \
file://CVE-2025-49179.patch \
+ file://CVE-2025-49180.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread