* [OE-core][kirkstone 00/10] Patch review
@ 2023-08-03 14:04 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-08-03 14:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Saturday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5680
The following changes since commit dc2e760591c5ed3c999222f235484829426c71a7:
util-linux: add alternative links for ipcs,ipcrm (2023-07-31 08:12:27 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (3):
qemu: fix CVE-2023-3301
qemu: fix CVE-2023-3255
qemu: fix CVE-2023-2861
Peter Marko (3):
libpcre2: patch CVE-2022-41409
libarchive: ignore CVE-2023-30571
openssl: Upgrade 3.0.9 -> 3.0.10
Sakib Sajal (2):
go: fix CVE-2023-24536
go: fix CVE-2023-24531
Sundeep KOKKONDA (1):
gcc : upgrade to v11.4
Yuta Hayama (1):
cve-update-nvd2-native: always pass str for json.loads()
meta/conf/distro/include/maintainers.inc | 2 +-
.../{openssl_3.0.9.bb => openssl_3.0.10.bb} | 2 +-
.../meta/cve-update-nvd2-native.bb | 2 +-
.../gcc/{gcc-11.3.inc => gcc-11.4.inc} | 6 +-
...ian_11.3.bb => gcc-cross-canadian_11.4.bb} | 0
.../{gcc-cross_11.3.bb => gcc-cross_11.4.bb} | 0
...-crosssdk_11.3.bb => gcc-crosssdk_11.4.bb} | 0
...cc-runtime_11.3.bb => gcc-runtime_11.4.bb} | 0
...itizers_11.3.bb => gcc-sanitizers_11.4.bb} | 0
...{gcc-source_11.3.bb => gcc-source_11.4.bb} | 0
...rch64-Update-Neoverse-N2-core-defini.patch | 20 +-
...rm-add-armv9-a-architecture-to-march.patch | 54 +--
...AMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch | 102 ++---
...s-fix-v4bx-to-linker-to-support-EABI.patch | 6 +-
.../gcc/{gcc_11.3.bb => gcc_11.4.bb} | 0
...initial_11.3.bb => libgcc-initial_11.4.bb} | 0
.../gcc/{libgcc_11.3.bb => libgcc_11.4.bb} | 0
...ibgfortran_11.3.bb => libgfortran_11.4.bb} | 0
meta/recipes-devtools/go/go-1.17.13.inc | 7 +-
.../go/go-1.19/CVE-2023-24536_1.patch | 137 +++++++
.../go/go-1.19/CVE-2023-24536_2.patch | 187 ++++++++++
.../go/go-1.19/CVE-2023-24536_3.patch | 349 ++++++++++++++++++
.../go/go-1.21/CVE-2023-24531_1.patch | 252 +++++++++++++
.../go/go-1.21/CVE-2023-24531_2.patch | 47 +++
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../qemu/qemu/CVE-2023-2861.patch | 172 +++++++++
.../qemu/qemu/CVE-2023-3255.patch | 64 ++++
.../qemu/qemu/CVE-2023-3301.patch | 60 +++
.../libarchive/libarchive_3.6.2.bb | 3 +
.../libpcre/libpcre2/CVE-2022-41409.patch | 75 ++++
.../recipes-support/libpcre/libpcre2_10.40.bb | 1 +
31 files changed, 1451 insertions(+), 100 deletions(-)
rename meta/recipes-connectivity/openssl/{openssl_3.0.9.bb => openssl_3.0.10.bb} (99%)
rename meta/recipes-devtools/gcc/{gcc-11.3.inc => gcc-11.4.inc} (97%)
rename meta/recipes-devtools/gcc/{gcc-cross-canadian_11.3.bb => gcc-cross-canadian_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-cross_11.3.bb => gcc-cross_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-crosssdk_11.3.bb => gcc-crosssdk_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-runtime_11.3.bb => gcc-runtime_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-sanitizers_11.3.bb => gcc-sanitizers_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc-source_11.3.bb => gcc-source_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{gcc_11.3.bb => gcc_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgcc-initial_11.3.bb => libgcc-initial_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgcc_11.3.bb => libgcc_11.4.bb} (100%)
rename meta/recipes-devtools/gcc/{libgfortran_11.3.bb => libgfortran_11.4.bb} (100%)
create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch
create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch
create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2023-10-03 19:36 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-10-03 19:36 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday, October 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5984
except for the meta-aws test, which breaks due to recent commits there. Maintainer notified.
The following changes since commit 7e177848f97eb9958619c28b5e5dadee12f67507:
kernel.bbclass: Add force flag to rm calls (2023-09-27 06:09:46 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (5):
linux-yocto/5.10: update to v5.10.189
linux-yocto/5.10: update to v5.10.191
linux-yocto/5.10: update to v5.10.192
linux-yocto/5.10: update to v5.10.194
linux-yocto/5.10: update to v5.10.197
Martin Jansa (2):
ccache: fix build with gcc-13
fontcache.bbclass: avoid native recipes depending on target fontconfig
Narpat Mali (1):
python3-jinja2: fix for the ptest result format
Peter Marko (1):
json-c: define CVE_VERSION
Shubham Kulkarni (1):
go: Update fix for CVE-2023-24538 & CVE-2023-39318
meta/classes/fontcache.bbclass | 1 +
...x-FTBFS-with-not-yet-released-GCC-13.patch | 92 +++
meta/recipes-devtools/ccache/ccache_4.6.bb | 4 +-
meta/recipes-devtools/go/go-1.17.13.inc | 3 +-
.../go/go-1.18/CVE-2023-24538_1.patch | 597 ++++++++++++++++++
...023-24538.patch => CVE-2023-24538_2.patch} | 175 ++++-
.../go/go-1.21/CVE-2023-39318.patch | 44 +-
meta/recipes-devtools/json-c/json-c_0.15.bb | 3 +
.../python/python3-jinja2/run-ptest | 2 +-
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +-
12 files changed, 921 insertions(+), 38 deletions(-)
create mode 100644 meta/recipes-devtools/ccache/ccache/0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538_1.patch
rename meta/recipes-devtools/go/go-1.18/{CVE-2023-24538.patch => CVE-2023-24538_2.patch} (53%)
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2023-10-18 15:48 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-10-18 15:48 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, October 20
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6064
with the exception of a known vim reproducibilty error in the vim-common
package where depending on worker we are seeing either:
"Content-Type:·text/plain;·charset=CP1251\n"
or
"Content-Type:·text/plain;·charset=cp1251\n"
The issue is still under investigation, but is unrelated to this patch set.
The following changes since commit 2572b32e729831762790ebfbf930a1140657faea:
apt: add missing <cstdint> for uint16_t (2023-10-13 05:32:41 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Armin Kuster (1):
binutils: CVE-2022-48063
Chaitanya Vadrevu (3):
binutils: Fix CVE-2022-47695
binutils: Mark CVE-2022-47673 as patched
binutils: Mark CVE-2022-47696 as patched
Deepthi Hemraj (2):
binutils: Fix CVE-2022-47008
binutils: Fix CVE-2022-47011
Hitendra Prajapati (1):
libtiff: Add fix for tiffcrop CVE-2023-1916
Quentin Schulz (1):
uboot-extlinux-config.bbclass: fix missed override syntax migration
Siddharth Doshi (2):
tiff: Security fix for CVE-2023-40745
libxpm: upgrade to 3.5.17
meta/classes/uboot-extlinux-config.bbclass | 2 +-
.../binutils/binutils-2.38.inc | 4 +
.../binutils/0022-CVE-2023-25584-3.patch | 2 +
.../binutils/0025-CVE-2023-25588.patch | 2 +
.../binutils/0027-CVE-2022-47008.patch | 67 +++++++++++++
.../binutils/0028-CVE-2022-47011.patch | 35 +++++++
.../binutils/0031-CVE-2022-47695.patch | 58 +++++++++++
.../binutils/binutils/CVE-2022-48063.patch | 48 +++++++++
.../{libxpm_3.5.16.bb => libxpm_3.5.17.bb} | 2 +-
.../libtiff/tiff/CVE-2023-1916.patch | 99 +++++++++++++++++++
.../libtiff/tiff/CVE-2023-40745.patch | 34 +++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 2 +
12 files changed, 353 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} (88%)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2024-04-16 12:06 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2024-04-16 12:06 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 18
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6811
The following changes since commit 26a878cbfbb3bc7a6e892e105577ebf8138ce150:
common-licenses: Backport missing license (2024-04-02 08:04:42 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alex Stewart (1):
perl: ignore CVE-2023-47100
Jonathan GUILLOT (1):
cups: fix typo in CVE-2023-32360 backport patch
Khem Raj (1):
tcl: Add a way to skip ptests
Peter Marko (2):
openssl: patch CVE-2024-2511
ncurses: patch CVE-2023-50495
Ross Burton (2):
tcl: skip timing-dependent tests in run-ptest
tcl: skip async and event tests in run-ptest
Sana Kazi (1):
openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORE
Steve Sakoman (1):
Revert "expat: fix CVE-2023-52425"
Vijay Anusuri (1):
xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081
.../openssh/openssh_8.9p1.bb | 5 +
.../openssl/openssl/CVE-2024-2511.patch | 122 ++++++++++
.../openssl/openssl_3.0.13.bb | 1 +
.../expat/expat/CVE-2023-52425-0001.patch | 40 ----
.../expat/expat/CVE-2023-52425-0002.patch | 87 -------
.../expat/expat/CVE-2023-52425-0003.patch | 222 ------------------
.../expat/expat/CVE-2023-52425-0004.patch | 42 ----
.../expat/expat/CVE-2023-52425-0005.patch | 69 ------
.../expat/expat/CVE-2023-52425-0006.patch | 67 ------
.../expat/expat/CVE-2023-52425-0007.patch | 159 -------------
.../expat/expat/CVE-2023-52425-0008.patch | 95 --------
.../expat/expat/CVE-2023-52425-0009.patch | 52 ----
.../expat/expat/CVE-2023-52425-0010.patch | 111 ---------
.../expat/expat/CVE-2023-52425-0011.patch | 89 -------
.../expat/expat/CVE-2023-52425-0012.patch | 87 -------
meta/recipes-core/expat/expat_2.5.0.bb | 12 -
.../ncurses/files/CVE-2023-50495.patch | 81 +++++++
.../ncurses/ncurses_6.3+20220423.bb | 1 +
meta/recipes-devtools/perl/perl_5.34.3.bb | 3 +
meta/recipes-devtools/tcltk/tcl/run-ptest | 6 +-
meta/recipes-devtools/tcltk/tcl_8.6.11.bb | 5 +
.../cups/cups/CVE-2023-32360.patch | 2 +-
.../xserver-xorg/CVE-2024-31080.patch | 49 ++++
.../xserver-xorg/CVE-2024-31081.patch | 47 ++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 2 +
25 files changed, 322 insertions(+), 1134 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-04-08 20:50 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-04-08 20:50 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 10
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1367
The following changes since commit 1efbe1004bc82e7c14c1e8bd4ce644f5015c3346:
build-appliance-image: Update to kirkstone head revision (2025-04-04 08:43:24 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Haixiao Yan (1):
glibc: Add single-threaded fast path to rand()
Peter Marko (2):
ofono: patch CVE-2024-7537
qemu: ignore CVE-2023-1386
Vijay Anusuri (6):
ghostscript: Fix CVE-2025-27830
ghostscript: Fix CVE-2025-27831
ghostscript: Fix CVE-2025-27832
ghostscript: Fix CVE-2025-27834
ghostscript: Fix CVE-2025-27835
ghostscript: Fix CVE-2025-27836
Yogita Urade (1):
curl: ignore CVE-2025-0725
.../ofono/ofono/CVE-2024-7537.patch | 59 +++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
...dd-single-threaded-fast-path-to-rand.patch | 47 +++++++++++
meta/recipes-core/glibc/glibc_2.35.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 3 +
.../ghostscript/CVE-2025-27830.patch | 79 +++++++++++++++++
.../ghostscript/CVE-2025-27831-pre1.patch | 50 +++++++++++
.../ghostscript/CVE-2025-27831.patch | 84 +++++++++++++++++++
.../ghostscript/CVE-2025-27832.patch | 45 ++++++++++
.../ghostscript/CVE-2025-27834.patch | 57 +++++++++++++
.../ghostscript/CVE-2025-27835.patch | 34 ++++++++
.../ghostscript/CVE-2025-27836-1.patch | 64 ++++++++++++++
.../ghostscript/CVE-2025-27836-2.patch | 46 ++++++++++
.../ghostscript/ghostscript_9.55.0.bb | 8 ++
meta/recipes-support/curl/curl_7.82.0.bb | 2 +
15 files changed, 580 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-05-30 15:39 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-05-30 15:39 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, June 3
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1684
The following changes since commit a99a65632116955dc69809a14bf536b22582de72:
gcc: AArch64 - Fix strict-align cpymem/setmem (2025-05-23 08:27:24 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (5):
linux-yocto/5.15: update to v5.15.180
linux-yocto/5.15: update to v5.15.181
linux-yocto/5.15: update to v5.15.182
linux-yocto/5.15: update to v5.15.183
linux-yocto/5.15: update to v5.15.184
Guocai He (1):
sysstat: correct the SRC_URI
Harish Sadineni (2):
binutils: Fix CVE-2025-1182
binutils: fix CVE-2025-1180
Hitendra Prajapati (1):
screen: Fix CVE-2025-46805
NeilBrown (1):
nfs-utils: don't use signals to shut down nfs server.
.../nfs-utils/nfs-utils/nfsserver | 28 +--
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0040-CVE-2025-1180.patch | 164 ++++++++++++++++++
.../binutils/0040-CVE-2025-1182.patch | 31 ++++
.../screen/screen/CVE-2025-46805.patch | 121 +++++++++++++
meta/recipes-extended/screen/screen_4.9.0.bb | 1 +
meta/recipes-extended/sysstat/sysstat.inc | 6 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +--
10 files changed, 344 insertions(+), 46 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1180.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch
create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46805.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-07-27 20:04 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-07-27 20:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 29
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2092
The following changes since commit d9f424921179a52ffe053411c44f20e44e7deba1:
tcf-agent: correct the SRC_URI (2025-07-15 06:42:30 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 4.0.28
Daniel Díaz (1):
ffmpeg: Ignore two CVEs fixed in 5.0.3
Deepesh Varatharajan (1):
glibc: stable 2.35 branch updates
Hitendra Prajapati (1):
libpam: fix CVE-2025-6020
Martin Jansa (1):
db: ignore implicit-int and implicit-function-declaration issues fatal
with gcc-14
Peter Marko (2):
orc: set CVE_PRODUCT
ncurses: patch CVE-2025-6141
Rob Woolley (1):
ruby: correct fix for CVE-2024-43398
Yash Shinde (1):
binutils: Fix CVE-2025-7546
Yogita Urade (1):
gnupg: fix CVE-2025-30258
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../glibc/glibc/0025-CVE-2025-4802.patch | 3 +-
meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
.../ncurses/files/CVE-2025-6141.patch | 25 +
.../ncurses/ncurses_6.3+20220423.bb | 1 +
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0043-CVE-2025-7546.patch | 44 +
meta/recipes-devtools/orc/orc_0.4.40.bb | 3 +
.../ruby/ruby/CVE-2024-43398-0001.patch | 212 +++
.../ruby/ruby/CVE-2024-43398-0002.patch | 130 ++
...-43398.patch => CVE-2024-43398-0003.patch} | 23 +-
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 4 +-
...001-pam_inline-introduce-pam_asprint.patch | 102 ++
.../0001-pam_namespace-include-stdint-h.patch | 42 +
.../pam/libpam/CVE-2025-6020-01.patch | 1588 +++++++++++++++++
.../pam/libpam/CVE-2025-6020-02.patch | 187 ++
.../pam/libpam/CVE-2025-6020-03.patch | 35 +
meta/recipes-extended/pam/libpam_1.5.2.bb | 5 +
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb | 6 +
meta/recipes-support/db/db_5.3.28.bb | 4 +
.../gnupg/gnupg/CVE-2025-30258-0001.patch | 141 ++
.../gnupg/gnupg/CVE-2025-30258-0002.patch | 131 ++
.../gnupg/gnupg/CVE-2025-30258-0003.patch | 624 +++++++
.../gnupg/gnupg/CVE-2025-30258-0004.patch | 193 ++
.../gnupg/gnupg/CVE-2025-30258-0005.patch | 36 +
meta/recipes-support/gnupg/gnupg_2.3.7.bb | 5 +
scripts/install-buildtools | 4 +-
27 files changed, 3534 insertions(+), 19 deletions(-)
create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-6141.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0043-CVE-2025-7546.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0002.patch
rename meta/recipes-devtools/ruby/ruby/{CVE-2024-43398.patch => CVE-2024-43398-0003.patch} (87%)
create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_inline-introduce-pam_asprint.patch
create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_namespace-include-stdint-h.patch
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-01.patch
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-02.patch
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-03.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0001.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0002.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0003.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0004.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0005.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-07-30 19:05 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-07-30 19:05 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 1
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2113
The following changes since commit 277b5ec3c0212ca8600dd89d0a33f784a060131f:
db: ignore implicit-int and implicit-function-declaration issues fatal with gcc-14 (2025-07-25 08:37:09 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Deepesh Varatharajan (1):
binutils: Fix CVE-2025-7545
Peter Marko (8):
dropbear: patch CVE-2025-47203
gnutls: patch CVE-2025-32989
gnutls: patch read buffer overrun in the "pre_shared_key" extension
gnutls: patch reject zero-length version in certificate request
gnutls: patch CVE-2025-32988
gnutls: patch CVE-2025-32990
gnutls: patch CVE-2025-6395
libxml2: patch CVE-2025-6170
Vijay Anusuri (1):
sqlite3: Fix CVE-2025-6965
meta/recipes-core/dropbear/dropbear.inc | 3 +
..._snprintf-that-won-t-return-negative.patch | 48 +
...-length-paths-and-commands-in-multih.patch | 126 +
.../dropbear/dropbear/CVE-2025-47203.patch | 344 +++
.../libxml/libxml2/CVE-2025-6170.patch | 103 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
.../binutils/binutils-2.38.inc | 1 +
.../binutils/0043-CVE-2025-7545.patch | 39 +
...fer-overrun-in-the-pre_shared_key-ex.patch | 34 +
...-length-version-in-certificate-reque.patch | 37 +
.../04939b75417cc95b7372c6f208c4bda4579bdc34 | Bin 0 -> 1782 bytes
.../3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 | Bin 0 -> 830 bytes
.../5477db1bb507a35e8833c758ce344f4b5b246d8e | Bin 0 -> 111 bytes
.../gnutls/gnutls/CVE-2025-32988.patch | 58 +
.../gnutls/gnutls/CVE-2025-32989.patch | 50 +
.../gnutls/gnutls/CVE-2025-32990.patch | 2109 +++++++++++++++++
.../gnutls/gnutls/CVE-2025-6395.patch | 299 +++
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 15 +
.../sqlite/files/CVE-2025-6965.patch | 115 +
meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 1 +
20 files changed, 3383 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Add-m_snprintf-that-won-t-return-negative.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0043-CVE-2025-7545.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34
create mode 100644 meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
create mode 100644 meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32990.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-6395.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-6965.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-11-13 21:47 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-11-13 21:47 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Monday, November 17
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2720
The following changes since commit 1e1993b72f2b6109ce3d0ef950553b74b2b37b27:
Don't use ftp.gnome.org (2025-11-03 09:18:14 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
xf86-video-intel: correct SRC_URI as freedesktop anongit is down
goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task
signatures
Gyorgy Sarvari (2):
efibootmgr: update SRC_URI branch
babeltrace2: fetch with https protocol
Peter Marko (1):
curl: ignore CVE-2025-10966
Saquib Iltaf (1):
rust-cross-canadian: Ignore CVE-2024-43402
Soumya Sambu (1):
python3-urllib3: Upgrade 1.26.18 -> 1.26.20
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-62229
xserver-xorg: Fix for CVE-2025-62230
xserver-xorg: Fix for CVE-2025-62231
meta/classes/goarch.bbclass | 3 +
meta/recipes-bsp/efibootmgr/efibootmgr_17.bb | 2 +-
..._1.26.18.bb => python3-urllib3_1.26.20.bb} | 2 +-
.../rust/rust-cross-canadian.inc | 2 +
.../xorg-driver/xf86-video-intel_git.bb | 3 +-
.../xserver-xorg/CVE-2025-62229.patch | 89 ++++++++++++++++++
.../xserver-xorg/CVE-2025-62230-1.patch | 63 +++++++++++++
.../xserver-xorg/CVE-2025-62230-2.patch | 92 +++++++++++++++++++
.../xserver-xorg/CVE-2025-62231.patch | 53 +++++++++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../recipes-kernel/lttng/babeltrace2_2.0.5.bb | 2 +-
meta/recipes-support/curl/curl_7.82.0.bb | 2 +
12 files changed, 312 insertions(+), 5 deletions(-)
rename meta/recipes-devtools/python/{python3-urllib3_1.26.18.bb => python3-urllib3_1.26.20.bb} (87%)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62229.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62230-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62230-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62231.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-12-02 15:09 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820 Steve Sakoman
` (9 more replies)
0 siblings, 10 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2808
The following changes since commit ceef3cde9b761b7b5de6f7b6b1fb8e99663af9ca:
flac: patch seeking bug (2025-11-24 07:34:36 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (4):
go: fix CVE-2025-58187
go: fix CVE-2025-58189
go: fix CVE-2025-61723
go: fix CVE-2025-61724
Gyorgy Sarvari (1):
systemd-bootchart: update SRC_URI branch
Peter Marko (5):
gnutls: patch CVE-2025-9820
libpng: patch CVE-2025-64505
libpng: patch CVE-2025-64506
libpng: patch CVE-2025-64720
libpng: patch CVE-2025-65018
meta/recipes-devtools/go/go-1.17.13.inc | 4 +
.../go/go-1.18/CVE-2025-58187.patch | 349 ++++++++++++++++++
.../go/go-1.18/CVE-2025-58189.patch | 51 +++
.../go/go-1.18/CVE-2025-61723.patch | 221 +++++++++++
.../go/go-1.18/CVE-2025-61724.patch | 74 ++++
.../systemd-bootchart_234.bb | 2 +-
.../libpng/files/CVE-2025-64505-01.patch | 111 ++++++
.../libpng/files/CVE-2025-64505-02.patch | 163 ++++++++
.../libpng/files/CVE-2025-64505-03.patch | 52 +++
.../libpng/files/CVE-2025-64506.patch | 57 +++
.../libpng/files/CVE-2025-64720.patch | 103 ++++++
.../libpng/files/CVE-2025-65018-01.patch | 60 +++
.../libpng/files/CVE-2025-65018-02.patch | 163 ++++++++
.../libpng/libpng_1.6.39.bb | 7 +
.../gnutls/gnutls/CVE-2025-9820.patch | 250 +++++++++++++
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 1 +
16 files changed, 1667 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 02/10] libpng: patch CVE-2025-64505 Steve Sakoman
` (8 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This CVE is announced under [1].
Pick commit which mentions this CVE per [2].
[1] https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
[2] https://security-tracker.debian.org/tracker/CVE-2025-9820
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gnutls/gnutls/CVE-2025-9820.patch | 250 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.7.4.bb | 1 +
2 files changed, 251 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
new file mode 100644
index 0000000000..6ace251fed
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch
@@ -0,0 +1,250 @@
+From 1d56f96f6ab5034d677136b9d50b5a75dff0faf5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Tue, 18 Nov 2025 13:17:55 +0900
+Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token
+
+If gnutls_pkcs11_token_init is called with label longer than 32
+characters, the internal storage used to blank-fill it would
+overflow. This adds a guard to prevent that.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+CVE: CVE-2025-9820
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS | 4 +
+ lib/pkcs11_write.c | 5 +-
+ tests/Makefile.am | 2 +-
+ tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 172 insertions(+), 3 deletions(-)
+ create mode 100644 tests/pkcs11/long-label.c
+
+diff --git a/NEWS b/NEWS
+index 0ae3c9991..d6df70ee6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,10 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc.
+ Copyright (C) 2013-2019 Nikos Mavrogiannopoulos
+ See the end for copying conditions.
+
++** libgnutls: Fix stack overwrite in gnutls_pkcs11_token_init
++ Reported by Luigino Camastra from Aisle Research. [GNUTLS-SA-2025-11-18,
++ CVSS: low] [CVE-2025-9820]
++
+ ** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
+ Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
+ [CVE-2025-6395]
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index f5e9058e0..64b85a2df 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -28,6 +28,7 @@
+ #include "pkcs11x.h"
+ #include <x509/common.h>
+ #include "pk.h"
++#include "minmax.h"
+
+ static const ck_bool_t tval = 1;
+ static const ck_bool_t fval = 0;
+@@ -1199,7 +1200,7 @@ int gnutls_pkcs11_delete_url(const char *object_url, unsigned int flags)
+ * gnutls_pkcs11_token_init:
+ * @token_url: A PKCS #11 URL specifying a token
+ * @so_pin: Security Officer's PIN
+- * @label: A name to be used for the token
++ * @label: A name to be used for the token, at most 32 characters
+ *
+ * This function will initialize (format) a token. If the token is
+ * at a factory defaults state the security officer's PIN given will be
+@@ -1238,7 +1239,7 @@ gnutls_pkcs11_token_init(const char *token_url,
+ /* so it seems memset has other uses than zeroing! */
+ memset(flabel, ' ', sizeof(flabel));
+ if (label != NULL)
+- memcpy(flabel, label, strlen(label));
++ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label)));
+
+ rv = pkcs11_init_token(module, slot, (uint8_t *) so_pin,
+ strlen(so_pin), (uint8_t *) flabel);
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index be4966f4b..8327c90ca 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -485,7 +485,7 @@ buffer_CPPFLAGS = $(AM_CPPFLAGS) \
+ if ENABLE_PKCS11
+ if !WINDOWS
+ ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
+- global-init-override
++ global-init-override pkcs11/long-label
+ tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la libutils.la
+ tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL)
+ pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la libutils.la
+diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c
+new file mode 100644
+index 000000000..a70bc9728
+--- /dev/null
++++ b/tests/pkcs11/long-label.c
+@@ -0,0 +1,164 @@
++/*
++ * Copyright (C) 2025 Red Hat, Inc.
++ *
++ * Author: Daiki Ueno
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program. If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main(void)
++{
++ exit(77);
++}
++
++#else
++
++#include <string.h>
++#include <unistd.h>
++#include <gnutls/gnutls.h>
++
++#include "cert-common.h"
++#include "pkcs11/softhsm.h"
++#include "utils.h"
++
++/* This program tests that a token can be initialized with
++ * a label longer than 32 characters.
++ */
++
++static void tls_log_func(int level, const char *str)
++{
++ fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++#define PIN "1234"
++
++#define CONFIG_NAME "softhsm-long-label"
++#define CONFIG CONFIG_NAME ".config"
++
++static int pin_func(void *userdata, int attempt, const char *url,
++ const char *label, unsigned flags, char *pin,
++ size_t pin_max)
++{
++ if (attempt == 0) {
++ strcpy(pin, PIN);
++ return 0;
++ }
++ return -1;
++}
++
++static void test(const char *provider)
++{
++ int ret;
++ size_t i;
++
++ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
++
++ success("test with %s\n", provider);
++
++ if (debug) {
++ gnutls_global_set_log_function(tls_log_func);
++ gnutls_global_set_log_level(4711);
++ }
++
++ /* point to SoftHSM token that libpkcs11mock4.so internally uses */
++ setenv(SOFTHSM_ENV, CONFIG, 1);
++
++ gnutls_pkcs11_set_pin_function(pin_func, NULL);
++
++ ret = gnutls_pkcs11_add_provider(provider, "trusted");
++ if (ret != 0) {
++ fail("gnutls_pkcs11_add_provider: %s\n", gnutls_strerror(ret));
++ }
++
++ /* initialize softhsm token */
++ ret = gnutls_pkcs11_token_init(
++ SOFTHSM_URL, PIN,
++ "this is a very long label whose length exceeds 32");
++ if (ret < 0) {
++ fail("gnutls_pkcs11_token_init: %s\n", gnutls_strerror(ret));
++ }
++
++ for (i = 0;; i++) {
++ char *url = NULL;
++
++ ret = gnutls_pkcs11_token_get_url(i, 0, &url);
++ if (ret < 0)
++ break;
++ if (strstr(url,
++ "token=this%20is%20a%20very%20long%20label%20whose"))
++ break;
++ }
++ if (ret < 0)
++ fail("gnutls_pkcs11_token_get_url: %s\n", gnutls_strerror(ret));
++
++ gnutls_pkcs11_deinit();
++}
++
++void doit(void)
++{
++ const char *bin;
++ const char *lib;
++ char buf[128];
++
++ if (gnutls_fips140_mode_enabled())
++ exit(77);
++
++ /* this must be called once in the program */
++ global_init();
++
++ /* we call gnutls_pkcs11_init manually */
++ gnutls_pkcs11_deinit();
++
++ /* check if softhsm module is loadable */
++ lib = softhsm_lib();
++
++ /* initialize SoftHSM token that libpkcs11mock4.so internally uses */
++ bin = softhsm_bin();
++
++ set_softhsm_conf(CONFIG);
++ snprintf(buf, sizeof(buf),
++ "%s --init-token --slot 0 --label test --so-pin " PIN
++ " --pin " PIN,
++ bin);
++ system(buf);
++
++ test(lib);
++
++ lib = getenv("P11MOCKLIB4");
++ if (lib == NULL) {
++ fail("P11MOCKLIB4 is not set\n");
++ }
++
++ set_softhsm_conf(CONFIG);
++ snprintf(buf, sizeof(buf),
++ "%s --init-token --slot 0 --label test --so-pin " PIN
++ " --pin " PIN,
++ bin);
++ system(buf);
++
++ test(lib);
++}
++#endif /* _WIN32 */
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 8c8e08855b..e4dd47aea4 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -38,6 +38,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2025-32988.patch \
file://CVE-2025-32990.patch \
file://CVE-2025-6395.patch \
+ file://CVE-2025-9820.patch \
"
SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 02/10] libpng: patch CVE-2025-64505
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 03/10] libpng: patch CVE-2025-64506 Steve Sakoman
` (7 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64505-01.patch | 111 ++++++++++++
.../libpng/files/CVE-2025-64505-02.patch | 163 ++++++++++++++++++
.../libpng/files/CVE-2025-64505-03.patch | 52 ++++++
.../libpng/libpng_1.6.39.bb | 3 +
4 files changed, 329 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
new file mode 100644
index 0000000000..c8ca222d14
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
@@ -0,0 +1,111 @@
+From 0fa3c0f698c2ca618a0fa44e10a822678df85373 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Thu, 15 Feb 2024 21:53:24 +0200
+Subject: [PATCH] chore: Clean up the spurious uses of `sizeof(png_byte)`; fix
+ the manual
+
+By definition, `sizeof(png_byte)` is 1.
+
+Remove all the occurences of `sizeof(png_byte)` from the code, and fix
+a related typo in the libpng manual.
+
+Also update the main .editorconfig file to reflect the fixing expected
+by a FIXME note.
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/0fa3c0f698c2ca618a0fa44e10a822678df85373]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libpng-manual.txt | 4 ++--
+ libpng.3 | 4 ++--
+ pngrtran.c | 17 +++++++----------
+ 3 files changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/libpng-manual.txt b/libpng-manual.txt
+index eb24ef483..d2918ce31 100644
+--- a/libpng-manual.txt
++++ b/libpng-manual.txt
+@@ -1180,11 +1180,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
+ If you know your image size and pixel size ahead of time, you can allocate
+ row_pointers prior to calling png_read_png() with
+
+- if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
+ png_error (png_ptr,
+ "Image is too tall to process in memory");
+
+- if (width > PNG_UINT_32_MAX/pixel_size)
++ if (width > PNG_UINT_32_MAX / pixel_size)
+ png_error (png_ptr,
+ "Image is too wide to process in memory");
+
+diff --git a/libpng.3 b/libpng.3
+index 57d06f2db..8875b219a 100644
+--- a/libpng.3
++++ b/libpng.3
+@@ -1699,11 +1699,11 @@ where row_pointers is an array of pointers to the pixel data for each row:
+ If you know your image size and pixel size ahead of time, you can allocate
+ row_pointers prior to calling png_read_png() with
+
+- if (height > PNG_UINT_32_MAX/(sizeof (png_byte)))
++ if (height > PNG_UINT_32_MAX / (sizeof (png_bytep)))
+ png_error (png_ptr,
+ "Image is too tall to process in memory");
+
+- if (width > PNG_UINT_32_MAX/pixel_size)
++ if (width > PNG_UINT_32_MAX / pixel_size)
+ png_error (png_ptr,
+ "Image is too wide to process in memory");
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 74cca476b..041f9306c 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -441,7 +441,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ int i;
+
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+ for (i = 0; i < num_palette; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+@@ -458,7 +458,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+
+ /* Initialize an array to sort colors */
+ png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette * (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+
+ /* Initialize the quantize_sort array */
+ for (i = 0; i < num_palette; i++)
+@@ -592,11 +592,9 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+
+ /* Initialize palette index arrays */
+ png_ptr->index_to_palette = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette *
+- (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+ png_ptr->palette_to_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)((png_uint_32)num_palette *
+- (sizeof (png_byte))));
++ (png_alloc_size_t)num_palette);
+
+ /* Initialize the sort array */
+ for (i = 0; i < num_palette; i++)
+@@ -761,12 +759,11 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ size_t num_entries = ((size_t)1 << total_bits);
+
+ png_ptr->palette_lookup = (png_bytep)png_calloc(png_ptr,
+- (png_alloc_size_t)(num_entries * (sizeof (png_byte))));
++ (png_alloc_size_t)(num_entries));
+
+- distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)(num_entries *
+- (sizeof (png_byte))));
++ distance = (png_bytep)png_malloc(png_ptr, (png_alloc_size_t)num_entries);
+
+- memset(distance, 0xff, num_entries * (sizeof (png_byte)));
++ memset(distance, 0xff, num_entries);
+
+ for (i = 0; i < num_palette; i++)
+ {
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
new file mode 100644
index 0000000000..5a3e50b642
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
@@ -0,0 +1,163 @@
+From ea094764f3436e3c6524622724c2d342a3eff235 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 17:16:59 +0200
+Subject: [PATCH] Fix a memory leak in function `png_set_quantize`; refactor
+
+Release the previously-allocated array `quantize_index` before
+reallocating it. This avoids leaking memory when the function
+`png_set_quantize` is called multiple times on the same `png_struct`.
+
+This function assumed single-call usage, but fuzzing revealed that
+repeated calls would overwrite the pointers without freeing the
+original allocations, leaking 256 bytes per call for `quantize_index`
+and additional memory for `quantize_sort` when histogram-based
+quantization is used.
+
+Also remove the array `quantize_sort` from the list of `png_struct`
+members and make it a local variable. This array is initialized,
+used and released exclusively inside the function `png_set_quantize`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/ea094764f3436e3c6524622724c2d342a3eff235]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 43 +++++++++++++++++++++++--------------------
+ pngstruct.h | 1 -
+ 2 files changed, 23 insertions(+), 21 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 1809db704..4632dd521 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -440,6 +440,12 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ {
+ int i;
+
++ /* Initialize the array to index colors.
++ *
++ * Be careful to avoid leaking memory. Applications are allowed to call
++ * this function more than once per png_struct.
++ */
++ png_free(png_ptr, png_ptr->quantize_index);
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+ (png_alloc_size_t)num_palette);
+ for (i = 0; i < num_palette; i++)
+@@ -454,15 +460,14 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ * Perhaps not the best solution, but good enough.
+ */
+
+- int i;
++ png_bytep quantize_sort;
++ int i, j;
+
+- /* Initialize an array to sort colors */
+- png_ptr->quantize_sort = (png_bytep)png_malloc(png_ptr,
++ /* Initialize the local array to sort colors. */
++ quantize_sort = (png_bytep)png_malloc(png_ptr,
+ (png_alloc_size_t)num_palette);
+-
+- /* Initialize the quantize_sort array */
+ for (i = 0; i < num_palette; i++)
+- png_ptr->quantize_sort[i] = (png_byte)i;
++ quantize_sort[i] = (png_byte)i;
+
+ /* Find the least used palette entries by starting a
+ * bubble sort, and running it until we have sorted
+@@ -474,19 +479,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ for (i = num_palette - 1; i >= maximum_colors; i--)
+ {
+ int done; /* To stop early if the list is pre-sorted */
+- int j;
+
+ done = 1;
+ for (j = 0; j < i; j++)
+ {
+- if (histogram[png_ptr->quantize_sort[j]]
+- < histogram[png_ptr->quantize_sort[j + 1]])
++ if (histogram[quantize_sort[j]]
++ < histogram[quantize_sort[j + 1]])
+ {
+ png_byte t;
+
+- t = png_ptr->quantize_sort[j];
+- png_ptr->quantize_sort[j] = png_ptr->quantize_sort[j + 1];
+- png_ptr->quantize_sort[j + 1] = t;
++ t = quantize_sort[j];
++ quantize_sort[j] = quantize_sort[j + 1];
++ quantize_sort[j + 1] = t;
+ done = 0;
+ }
+ }
+@@ -498,18 +502,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ /* Swap the palette around, and set up a table, if necessary */
+ if (full_quantize != 0)
+ {
+- int j = num_palette;
++ j = num_palette;
+
+ /* Put all the useful colors within the max, but don't
+ * move the others.
+ */
+ for (i = 0; i < maximum_colors; i++)
+ {
+- if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
++ if ((int)quantize_sort[i] >= maximum_colors)
+ {
+ do
+ j--;
+- while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
++ while ((int)quantize_sort[j] >= maximum_colors);
+
+ palette[i] = palette[j];
+ }
+@@ -517,7 +521,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ }
+ else
+ {
+- int j = num_palette;
++ j = num_palette;
+
+ /* Move all the used colors inside the max limit, and
+ * develop a translation table.
+@@ -525,13 +529,13 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ for (i = 0; i < maximum_colors; i++)
+ {
+ /* Only move the colors we need to */
+- if ((int)png_ptr->quantize_sort[i] >= maximum_colors)
++ if ((int)quantize_sort[i] >= maximum_colors)
+ {
+ png_color tmp_color;
+
+ do
+ j--;
+- while ((int)png_ptr->quantize_sort[j] >= maximum_colors);
++ while ((int)quantize_sort[j] >= maximum_colors);
+
+ tmp_color = palette[j];
+ palette[j] = palette[i];
+@@ -569,8 +573,7 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ }
+ }
+ }
+- png_free(png_ptr, png_ptr->quantize_sort);
+- png_ptr->quantize_sort = NULL;
++ png_free(png_ptr, quantize_sort);
+ }
+ else
+ {
+diff --git a/pngstruct.h b/pngstruct.h
+index 084422bc1..fe5fa0415 100644
+--- a/pngstruct.h
++++ b/pngstruct.h
+@@ -413,7 +413,6 @@ struct png_struct_def
+
+ #ifdef PNG_READ_QUANTIZE_SUPPORTED
+ /* The following three members were added at version 1.0.14 and 1.2.4 */
+- png_bytep quantize_sort; /* working sort array */
+ png_bytep index_to_palette; /* where the original index currently is
+ in the palette */
+ png_bytep palette_to_index; /* which original index points to this
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
new file mode 100644
index 0000000000..ddda8678ce
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
@@ -0,0 +1,52 @@
+From 6a528eb5fd0dd7f6de1c39d30de0e41473431c37 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 8 Nov 2025 23:58:26 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_do_quantize`
+
+Allocate the quantize_index array to PNG_MAX_PALETTE_LENGTH (256 bytes)
+instead of num_palette bytes. This approach matches the allocation
+pattern for `palette[]`, `trans_alpha[]` and `riffled_palette[]` which
+were similarly oversized in libpng 1.2.1 to prevent buffer overflows
+from malformed PNG files with out-of-range palette indices.
+
+Out-of-range palette indices `index >= num_palette` will now read
+identity-mapped values from the `quantize_index` array (where index N
+maps to palette entry N). This prevents undefined behavior while
+avoiding runtime bounds checking overhead in the performance-critical
+pixel processing loop.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+
+CVE: CVE-2025-64505
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 4632dd521..9c2475fde 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -441,14 +441,18 @@ png_set_quantize(png_structrp png_ptr, png_colorp palette,
+ int i;
+
+ /* Initialize the array to index colors.
++ *
++ * Ensure quantize_index can fit 256 elements (PNG_MAX_PALETTE_LENGTH)
++ * rather than num_palette elements. This is to prevent buffer overflows
++ * caused by malformed PNG files with out-of-range palette indices.
+ *
+ * Be careful to avoid leaking memory. Applications are allowed to call
+ * this function more than once per png_struct.
+ */
+ png_free(png_ptr, png_ptr->quantize_index);
+ png_ptr->quantize_index = (png_bytep)png_malloc(png_ptr,
+- (png_alloc_size_t)num_palette);
+- for (i = 0; i < num_palette; i++)
++ PNG_MAX_PALETTE_LENGTH);
++ for (i = 0; i < PNG_MAX_PALETTE_LENGTH; i++)
+ png_ptr->quantize_index[i] = (png_byte)i;
+ }
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 011eec94a2..62e3e81b4f 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -13,6 +13,9 @@ LIBV = "16"
SRC_URI = "\
${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
file://run-ptest \
+ file://CVE-2025-64505-01.patch \
+ file://CVE-2025-64505-02.patch \
+ file://CVE-2025-64505-03.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 03/10] libpng: patch CVE-2025-64506
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 02/10] libpng: patch CVE-2025-64505 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 04/10] libpng: patch CVE-2025-64720 Steve Sakoman
` (6 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64506.patch | 57 +++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
new file mode 100644
index 0000000000..696f459971
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
@@ -0,0 +1,57 @@
+From 2bd84c019c300b78e811743fbcddb67c9d9bf821 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Fri, 7 Nov 2025 22:40:05 +0200
+Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit`
+
+The condition guarding the pre-transform path incorrectly allowed 8-bit
+input data to enter `png_write_image_8bit` which expects 16-bit input.
+This caused out-of-bounds reads when processing 8-bit grayscale+alpha
+images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746),
+with the `convert_to_8bit` flag set (an invalid combination that should
+bypass the pre-transform path).
+
+The second part of the condition, i.e.
+
+ colormap == 0 && convert_to_8bit != 0
+
+failed to verify that input was 16-bit, i.e.
+
+ linear != 0
+
+contradicting the comment "This only applies when the input is 16-bit".
+
+The fix consists in restructuring the condition to ensure both the
+`alpha` path and the `convert_to_8bit` path require linear (16-bit)
+input. The corrected condition, i.e.
+
+ linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)
+
+matches the expectation of the `png_write_image_8bit` function and
+prevents treating 8-bit buffers as 16-bit data.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Reported-by: weijinjinnihao <weijinjinnihao@users.noreply.github.com>
+Analyzed-by: degrigis <degrigis@users.noreply.github.com>
+Reviewed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64506
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngwrite.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/pngwrite.c b/pngwrite.c
+index 35a5d17b6..83148960e 100644
+--- a/pngwrite.c
++++ b/pngwrite.c
+@@ -2129,8 +2129,7 @@ png_image_write_main(png_voidp argument)
+ * before it is written. This only applies when the input is 16-bit and
+ * either there is an alpha channel or it is converted to 8-bit.
+ */
+- if ((linear != 0 && alpha != 0 ) ||
+- (colormap == 0 && display->convert_to_8bit != 0))
++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0))
+ {
+ png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr,
+ png_get_rowbytes(png_ptr, info_ptr)));
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index 62e3e81b4f..cc35e7a725 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -16,6 +16,7 @@ SRC_URI = "\
file://CVE-2025-64505-01.patch \
file://CVE-2025-64505-02.patch \
file://CVE-2025-64505-03.patch \
+ file://CVE-2025-64506.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 04/10] libpng: patch CVE-2025-64720
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 03/10] libpng: patch CVE-2025-64506 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 05/10] libpng: patch CVE-2025-65018 Steve Sakoman
` (5 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commit per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-64720.patch | 103 ++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 1 +
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
new file mode 100644
index 0000000000..08df7c3210
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
@@ -0,0 +1,103 @@
+From 08da33b4c88cfcd36e5a706558a8d7e0e4773643 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 12 Nov 2025 13:46:23 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations`
+
+The palette compositing code in `png_init_read_transformations` was
+incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA
+was set. This violated the premultiplied alpha invariant
+`component <= alpha` expected by `png_image_read_composite`, causing
+values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup
+tables.
+
+When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure
+premultiplied RGB values without background compositing. The background
+compositing must happen later in `png_image_read_composite` where the
+actual background color from the PNG file is available.
+
+The fix consists in introducing conditional behavior based on
+PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only
+premultiplication using the formula `component * alpha + 127) / 255`
+with proper gamma correction. When not set, the original background
+compositing calculation based on the `png_composite` macro is preserved.
+
+This prevents buffer overflows in `png_image_read_composite` where
+out-of-range premultiplied values would cause out-of-bounds array access
+in `png_sRGB_base[]` and `png_sRGB_delta[]`.
+
+Reported-by: Samsung-PENTEST <Samsung-PENTEST@users.noreply.github.com>
+Analyzed-by: John Bowler <jbowler@acm.org>
+
+CVE: CVE-2025-64720
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngrtran.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 10 deletions(-)
+
+diff --git a/pngrtran.c b/pngrtran.c
+index 548780030..2f5202255 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1698,19 +1698,51 @@ png_init_read_transformations(png_structrp png_ptr)
+ }
+ else /* if (png_ptr->trans_alpha[i] != 0xff) */
+ {
+- png_byte v, w;
++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0)
++ {
++ /* Premultiply only:
++ * component = round((component * alpha) / 255)
++ */
++ png_uint_32 component;
+
+- v = png_ptr->gamma_to_1[palette[i].red];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red);
+- palette[i].red = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].red];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].red = png_ptr->gamma_from_1[component];
+
+- v = png_ptr->gamma_to_1[palette[i].green];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green);
+- palette[i].green = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].green];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].green = png_ptr->gamma_from_1[component];
+
+- v = png_ptr->gamma_to_1[palette[i].blue];
+- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue);
+- palette[i].blue = png_ptr->gamma_from_1[w];
++ component = png_ptr->gamma_to_1[palette[i].blue];
++ component =
++ (component * png_ptr->trans_alpha[i] + 128) / 255;
++ palette[i].blue = png_ptr->gamma_from_1[component];
++ }
++ else
++ {
++ /* Composite with background color:
++ * component =
++ * alpha * component + (1 - alpha) * background
++ */
++ png_byte v, w;
++
++ v = png_ptr->gamma_to_1[palette[i].red];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.red);
++ palette[i].red = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].green];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.green);
++ palette[i].green = png_ptr->gamma_from_1[w];
++
++ v = png_ptr->gamma_to_1[palette[i].blue];
++ png_composite(w, v,
++ png_ptr->trans_alpha[i], back_1.blue);
++ palette[i].blue = png_ptr->gamma_from_1[w];
++ }
+ }
+ }
+ else
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index cc35e7a725..efb8eba372 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -17,6 +17,7 @@ SRC_URI = "\
file://CVE-2025-64505-02.patch \
file://CVE-2025-64505-03.patch \
file://CVE-2025-64506.patch \
+ file://CVE-2025-64720.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 05/10] libpng: patch CVE-2025-65018
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 04/10] libpng: patch CVE-2025-64720 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 06/10] go: fix CVE-2025-58187 Steve Sakoman
` (4 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick commits per NVD report.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-65018-01.patch | 60 +++++++
.../libpng/files/CVE-2025-65018-02.patch | 163 ++++++++++++++++++
.../libpng/libpng_1.6.39.bb | 2 +
3 files changed, 225 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
new file mode 100644
index 0000000000..a3e31ea6ac
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
@@ -0,0 +1,60 @@
+From 16b5e3823918840aae65c0a6da57c78a5a496a4d Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 17 Nov 2025 20:38:47 +0200
+Subject: [PATCH] Fix a buffer overflow in `png_image_finish_read`
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reject bit-depth mismatches between IHDR and the requested output
+format. When a 16-bit PNG is processed with an 8-bit output format
+request, `png_combine_row` writes using the IHDR depth before
+transformation, causing writes beyond the buffer allocated via
+`PNG_IMAGE_SIZE(image)`.
+
+The validation establishes a safe API contract where
+`PNG_IMAGE_SIZE(image)` is guaranteed to be sufficient across the
+transformation pipeline.
+
+Example overflow (32×32 pixels, 16-bit RGB to 8-bit RGBA):
+- Input format: 16 bits/channel × 3 channels = 6144 bytes
+- Output buffer: 8 bits/channel × 4 channels = 4096 bytes
+- Overflow: 6144 bytes - 4096 bytes = 2048 bytes
+
+Larger images produce proportionally larger overflows. For example,
+for 256×256 pixels, the overflow is 131072 bytes.
+
+Reported-by: yosiimich <yosiimich@users.noreply.github.com>
+
+CVE: CVE-2025-65018
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/pngread.c b/pngread.c
+index 212afb7d2..92571ec33 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -4164,6 +4164,20 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
+ int result;
+ png_image_read_control display;
+
++ /* Reject bit depth mismatches to avoid buffer overflows. */
++ png_uint_32 ihdr_bit_depth =
++ image->opaque->png_ptr->bit_depth;
++ int requested_linear =
++ (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
++ if (ihdr_bit_depth == 16 && !requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "16-bit PNG must use 16-bit output format");
++ if (ihdr_bit_depth < 16 && requested_linear)
++ return png_image_error(image,
++ "png_image_finish_read: "
++ "8-bit PNG must not use 16-bit output format");
++
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
new file mode 100644
index 0000000000..b64a45e9f3
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
@@ -0,0 +1,163 @@
+From 218612ddd6b17944e21eda56caf8b4bf7779d1ea Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Wed, 19 Nov 2025 21:45:13 +0200
+Subject: [PATCH] Rearchitect the fix to the buffer overflow in
+ `png_image_finish_read`
+
+Undo the fix from commit 16b5e3823918840aae65c0a6da57c78a5a496a4d.
+That fix turned out to be unnecessarily limiting. It rejected all
+16-to-8 bit transformations, although the vulnerability only affects
+interlaced PNGs where `png_combine_row` writes using IHDR bit-depth
+before the transformation completes.
+
+The proper solution is to add an intermediate `local_row` buffer,
+specifically for the slow but necessary step of 16-to-8 bit conversion
+of interlaced images. (The processing of non-interlaced images remains
+intact, using the fast path.) We added the flag `do_local_scale` and
+the function `png_image_read_direct_scaled`, following the pattern that
+involves `do_local_compose`.
+
+In conclusion:
+- The 16-to-8 bit transformations of interlaced images are now safe,
+ as they use an intermediate buffer.
+- The 16-to-8 bit transformations of non-interlaced images remain safe,
+ as the fast path remains unchanged.
+- All our regression tests are now passing.
+
+CVE: CVE-2025-65018
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 75 insertions(+), 14 deletions(-)
+
+diff --git a/pngread.c b/pngread.c
+index 92571ec33..79917daaa 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -3260,6 +3260,54 @@ png_image_read_colormapped(png_voidp argument)
+ }
+ }
+
++/* Row reading for interlaced 16-to-8 bit depth conversion with local buffer. */
++static int
++png_image_read_direct_scaled(png_voidp argument)
++{
++ png_image_read_control *display = png_voidcast(png_image_read_control*,
++ argument);
++ png_imagep image = display->image;
++ png_structrp png_ptr = image->opaque->png_ptr;
++ png_bytep local_row = png_voidcast(png_bytep, display->local_row);
++ png_bytep first_row = png_voidcast(png_bytep, display->first_row);
++ ptrdiff_t row_bytes = display->row_bytes;
++ int passes;
++
++ /* Handle interlacing. */
++ switch (png_ptr->interlaced)
++ {
++ case PNG_INTERLACE_NONE:
++ passes = 1;
++ break;
++
++ case PNG_INTERLACE_ADAM7:
++ passes = PNG_INTERLACE_ADAM7_PASSES;
++ break;
++
++ default:
++ png_error(png_ptr, "unknown interlace type");
++ }
++
++ /* Read each pass using local_row as intermediate buffer. */
++ while (--passes >= 0)
++ {
++ png_uint_32 y = image->height;
++ png_bytep output_row = first_row;
++
++ for (; y > 0; --y)
++ {
++ /* Read into local_row (gets transformed 8-bit data). */
++ png_read_row(png_ptr, local_row, NULL);
++
++ /* Copy from local_row to user buffer. */
++ memcpy(output_row, local_row, (size_t)row_bytes);
++ output_row += row_bytes;
++ }
++ }
++
++ return 1;
++}
++
+ /* Just the row reading part of png_image_read. */
+ static int
+ png_image_read_composite(png_voidp argument)
+@@ -3678,6 +3726,7 @@ png_image_read_direct(png_voidp argument)
+ int linear = (format & PNG_FORMAT_FLAG_LINEAR) != 0;
+ int do_local_compose = 0;
+ int do_local_background = 0; /* to avoid double gamma correction bug */
++ int do_local_scale = 0; /* for interlaced 16-to-8 bit conversion */
+ int passes = 0;
+
+ /* Add transforms to ensure the correct output format is produced then check
+@@ -3804,8 +3853,16 @@ png_image_read_direct(png_voidp argument)
+ png_set_expand_16(png_ptr);
+
+ else /* 8-bit output */
++ {
+ png_set_scale_16(png_ptr);
+
++ /* For interlaced images, use local_row buffer to avoid overflow
++ * in png_combine_row() which writes using IHDR bit-depth.
++ */
++ if (png_ptr->interlaced != 0)
++ do_local_scale = 1;
++ }
++
+ change &= ~PNG_FORMAT_FLAG_LINEAR;
+ }
+
+@@ -4081,6 +4138,24 @@ png_image_read_direct(png_voidp argument)
+ return result;
+ }
+
++ else if (do_local_scale != 0)
++ {
++ /* For interlaced 16-to-8 conversion, use an intermediate row buffer
++ * to avoid buffer overflows in png_combine_row. The local_row is sized
++ * for the transformed (8-bit) output, preventing the overflow that would
++ * occur if png_combine_row wrote 16-bit data directly to the user buffer.
++ */
++ int result;
++ png_voidp row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr));
++
++ display->local_row = row;
++ result = png_safe_execute(image, png_image_read_direct_scaled, display);
++ display->local_row = NULL;
++ png_free(png_ptr, row);
++
++ return result;
++ }
++
+ else
+ {
+ png_alloc_size_t row_bytes = (png_alloc_size_t)display->row_bytes;
+@@ -4164,20 +4239,6 @@ png_image_finish_read(png_imagep image, png_const_colorp background,
+ int result;
+ png_image_read_control display;
+
+- /* Reject bit depth mismatches to avoid buffer overflows. */
+- png_uint_32 ihdr_bit_depth =
+- image->opaque->png_ptr->bit_depth;
+- int requested_linear =
+- (image->format & PNG_FORMAT_FLAG_LINEAR) != 0;
+- if (ihdr_bit_depth == 16 && !requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "16-bit PNG must use 16-bit output format");
+- if (ihdr_bit_depth < 16 && requested_linear)
+- return png_image_error(image,
+- "png_image_finish_read: "
+- "8-bit PNG must not use 16-bit output format");
+-
+ memset(&display, 0, (sizeof display));
+ display.image = image;
+ display.buffer = buffer;
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index efb8eba372..47b76a704b 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -18,6 +18,8 @@ SRC_URI = "\
file://CVE-2025-64505-03.patch \
file://CVE-2025-64506.patch \
file://CVE-2025-64720.patch \
+ file://CVE-2025-65018-01.patch \
+ file://CVE-2025-65018-02.patch \
"
SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 06/10] go: fix CVE-2025-58187
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 05/10] libpng: patch CVE-2025-65018 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 07/10] go: fix CVE-2025-58189 Steve Sakoman
` (3 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scale non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2025-58187.patch | 349 ++++++++++++++++++
2 files changed, 350 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 465f24e108..c5aa3f9786 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -69,6 +69,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
file://CVE-2025-47907.patch \
file://CVE-2025-47906.patch \
file://CVE-2024-24783.patch \
+ file://CVE-2025-58187.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch
new file mode 100644
index 0000000000..810487674c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch
@@ -0,0 +1,349 @@
+From f334417e71f8b078ad64035bddb6df7f8910da6c Mon Sep 17 00:00:00 2001
+From: Neal Patel <nealpatel@google.com>
+Date: Mon, 15 Sep 2025 16:31:22 -0400
+Subject: [PATCH] crypto/x509: improve domain name verification
+
+Don't use domainToReverseLabels to check if domain names are valid,
+since it is not particularly performant, and can contribute to DoS
+vectors. Instead just iterate over the name and enforce the properties
+we care about.
+
+This also enforces that DNS names, both in SANs and name constraints,
+are valid. We previously allowed invalid SANs, because some
+intermediates had these weird names (see #23995), but there are
+currently no trusted intermediates that have this property, and since we
+target the web PKI, supporting this particular case is not a high
+priority.
+
+Thank you to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-58187
+For #75681
+Fixes #75714
+
+Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2982
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709839
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-58187
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/crypto/x509/name_constraints_test.go | 66 ++------------------
+ src/crypto/x509/parser.go | 77 ++++++++++++++----------
+ src/crypto/x509/parser_test.go | 43 +++++++++++++
+ src/crypto/x509/verify.go | 1 +
+ 4 files changed, 95 insertions(+), 92 deletions(-)
+
+diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
+index c59a7dc..d4f7d41 100644
+--- a/src/crypto/x509/name_constraints_test.go
++++ b/src/crypto/x509/name_constraints_test.go
+@@ -1452,63 +1452,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+ requestedEKUs: []ExtKeyUsage{ExtKeyUsageServerAuth},
+ },
+
+- // An invalid DNS SAN should be detected only at validation time so
+- // that we can process CA certificates in the wild that have invalid SANs.
+- // See https://github.com/golang/go/issues/23995
+-
+- // #77: an invalid DNS or mail SAN will not be detected if name constraint
+- // checking is not triggered.
+- {
+- roots: make([]constraintsSpec, 1),
+- intermediates: [][]constraintsSpec{
+- {
+- {},
+- },
+- },
+- leaf: leafSpec{
+- sans: []string{"dns:this is invalid", "email:this @ is invalid"},
+- },
+- },
+-
+- // #78: an invalid DNS SAN will be detected if any name constraint checking
+- // is triggered.
+- {
+- roots: []constraintsSpec{
+- {
+- bad: []string{"uri:"},
+- },
+- },
+- intermediates: [][]constraintsSpec{
+- {
+- {},
+- },
+- },
+- leaf: leafSpec{
+- sans: []string{"dns:this is invalid"},
+- },
+- expectedError: "cannot parse dnsName",
+- },
+-
+- // #79: an invalid email SAN will be detected if any name constraint
+- // checking is triggered.
+- {
+- roots: []constraintsSpec{
+- {
+- bad: []string{"uri:"},
+- },
+- },
+- intermediates: [][]constraintsSpec{
+- {
+- {},
+- },
+- },
+- leaf: leafSpec{
+- sans: []string{"email:this @ is invalid"},
+- },
+- expectedError: "cannot parse rfc822Name",
+- },
+-
+- // #80: if several EKUs are requested, satisfying any of them is sufficient.
++ // #77: if several EKUs are requested, satisfying any of them is sufficient.
+ {
+ roots: make([]constraintsSpec, 1),
+ intermediates: [][]constraintsSpec{
+@@ -1523,7 +1467,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+ requestedEKUs: []ExtKeyUsage{ExtKeyUsageClientAuth, ExtKeyUsageEmailProtection},
+ },
+
+- // #81: EKUs that are not asserted in VerifyOpts are not required to be
++ // #78: EKUs that are not asserted in VerifyOpts are not required to be
+ // nested.
+ {
+ roots: make([]constraintsSpec, 1),
+@@ -1542,7 +1486,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+ },
+ },
+
+- // #82: a certificate without SANs and CN is accepted in a constrained chain.
++ // #79: a certificate without SANs and CN is accepted in a constrained chain.
+ {
+ roots: []constraintsSpec{
+ {
+@@ -1559,7 +1503,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+ },
+ },
+
+- // #83: a certificate without SANs and with a CN that does not parse as a
++ // #80: a certificate without SANs and with a CN that does not parse as a
+ // hostname is accepted in a constrained chain.
+ {
+ roots: []constraintsSpec{
+@@ -1578,7 +1522,7 @@ var nameConstraintsTests = []nameConstraintsTest{
+ },
+ },
+
+- // #84: a certificate with SANs and CN is accepted in a constrained chain.
++ // #81: a certificate with SANs and CN is accepted in a constrained chain.
+ {
+ roots: []constraintsSpec{
+ {
+diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go
+index 635e74b..0788210 100644
+--- a/src/crypto/x509/parser.go
++++ b/src/crypto/x509/parser.go
+@@ -391,10 +391,14 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string
+ if err := isIA5String(email); err != nil {
+ return errors.New("x509: SAN rfc822Name is malformed")
+ }
++ parsed, ok := parseRFC2821Mailbox(email)
++ if !ok || (ok && !domainNameValid(parsed.domain, false)) {
++ return errors.New("x509: SAN rfc822Name is malformed")
++ }
+ emailAddresses = append(emailAddresses, email)
+ case nameTypeDNS:
+ name := string(data)
+- if err := isIA5String(name); err != nil {
++ if err := isIA5String(name); err != nil || (err == nil && !domainNameValid(name, false)) {
+ return errors.New("x509: SAN dNSName is malformed")
+ }
+ dnsNames = append(dnsNames, string(name))
+@@ -404,14 +408,9 @@ func parseSANExtension(der cryptobyte.String) (dnsNames, emailAddresses []string
+ return errors.New("x509: SAN uniformResourceIdentifier is malformed")
+ }
+ uri, err := url.Parse(uriStr)
+- if err != nil {
++ if err != nil || (err == nil && uri.Host != "" && !domainNameValid(uri.Host, false)) {
+ return fmt.Errorf("x509: cannot parse URI %q: %s", uriStr, err)
+ }
+- if len(uri.Host) > 0 {
+- if _, ok := domainToReverseLabels(uri.Host); !ok {
+- return fmt.Errorf("x509: cannot parse URI %q: invalid domain", uriStr)
+- }
+- }
+ uris = append(uris, uri)
+ case nameTypeIP:
+ switch len(data) {
+@@ -551,15 +550,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+ return nil, nil, nil, nil, errors.New("x509: invalid constraint value: " + err.Error())
+ }
+
+- trimmedDomain := domain
+- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
+- // constraints can have a leading
+- // period to exclude the domain
+- // itself, but that's not valid in a
+- // normal domain name.
+- trimmedDomain = trimmedDomain[1:]
+- }
+- if _, ok := domainToReverseLabels(trimmedDomain); !ok {
++ if !domainNameValid(domain, true) {
+ return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse dnsName constraint %q", domain)
+ }
+ dnsNames = append(dnsNames, domain)
+@@ -600,12 +591,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+ return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
+ }
+ } else {
+- // Otherwise it's a domain name.
+- domain := constraint
+- if len(domain) > 0 && domain[0] == '.' {
+- domain = domain[1:]
+- }
+- if _, ok := domainToReverseLabels(domain); !ok {
++ if !domainNameValid(constraint, true) {
+ return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse rfc822Name constraint %q", constraint)
+ }
+ }
+@@ -621,15 +607,7 @@ func parseNameConstraintsExtension(out *Certificate, e pkix.Extension) (unhandle
+ return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q: cannot be IP address", domain)
+ }
+
+- trimmedDomain := domain
+- if len(trimmedDomain) > 0 && trimmedDomain[0] == '.' {
+- // constraints can have a leading
+- // period to exclude the domain itself,
+- // but that's not valid in a normal
+- // domain name.
+- trimmedDomain = trimmedDomain[1:]
+- }
+- if _, ok := domainToReverseLabels(trimmedDomain); !ok {
++ if !domainNameValid(domain, true) {
+ return nil, nil, nil, nil, fmt.Errorf("x509: failed to parse URI constraint %q", domain)
+ }
+ uriDomains = append(uriDomains, domain)
+@@ -1011,3 +989,40 @@ func ParseCertificates(der []byte) ([]*Certificate, error) {
+ }
+ return certs, nil
+ }
++
++// domainNameValid does minimal domain name validity checking. In particular it
++// enforces the following properties:
++// - names cannot have the trailing period
++// - names can only have a leading period if constraint is true
++// - names must be <= 253 characters
++// - names cannot have empty labels
++// - names cannot labels that are longer than 63 characters
++//
++// Note that this does not enforce the LDH requirements for domain names.
++func domainNameValid(s string, constraint bool) bool {
++ if len(s) == 0 && constraint {
++ return true
++ }
++ if len(s) == 0 || (!constraint && s[0] == '.') || s[len(s)-1] == '.' || len(s) > 253 {
++ return false
++ }
++ lastDot := -1
++ if constraint && s[0] == '.' {
++ s = s[1:]
++ }
++
++ for i := 0; i <= len(s); i++ {
++ if i == len(s) || s[i] == '.' {
++ labelLen := i
++ if lastDot >= 0 {
++ labelLen -= lastDot + 1
++ }
++ if labelLen == 0 || labelLen > 63 {
++ return false
++ }
++ lastDot = i
++ }
++ }
++
++ return true
++}
+diff --git a/src/crypto/x509/parser_test.go b/src/crypto/x509/parser_test.go
+index d7cf7ea..95ed116 100644
+--- a/src/crypto/x509/parser_test.go
++++ b/src/crypto/x509/parser_test.go
+@@ -5,6 +5,7 @@ package x509
+
+ import (
+ "encoding/asn1"
++ "strings"
+ "testing"
+
+ cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
+@@ -100,3 +101,45 @@ func TestParseASN1String(t *testing.T) {
+ })
+ }
+ }
++
++func TestDomainNameValid(t *testing.T) {
++ for _, tc := range []struct {
++ name string
++ dnsName string
++ constraint bool
++ valid bool
++ }{
++ {"empty name, name", "", false, false},
++ {"empty name, constraint", "", true, true},
++ {"empty label, name", "a..a", false, false},
++ {"empty label, constraint", "a..a", true, false},
++ {"period, name", ".", false, false},
++ {"period, constraint", ".", true, false}, // TODO(roland): not entirely clear if this is a valid constraint (require at least one label?)
++ {"valid, name", "a.b.c", false, true},
++ {"valid, constraint", "a.b.c", true, true},
++ {"leading period, name", ".a.b.c", false, false},
++ {"leading period, constraint", ".a.b.c", true, true},
++ {"trailing period, name", "a.", false, false},
++ {"trailing period, constraint", "a.", true, false},
++ {"bare label, name", "a", false, true},
++ {"bare label, constraint", "a", true, true},
++ {"254 char label, name", strings.Repeat("a.a", 84) + "aaa", false, false},
++ {"254 char label, constraint", strings.Repeat("a.a", 84) + "aaa", true, false},
++ {"253 char label, name", strings.Repeat("a.a", 84) + "aa", false, false},
++ {"253 char label, constraint", strings.Repeat("a.a", 84) + "aa", true, false},
++ {"64 char single label, name", strings.Repeat("a", 64), false, false},
++ {"64 char single label, constraint", strings.Repeat("a", 64), true, false},
++ {"63 char single label, name", strings.Repeat("a", 63), false, true},
++ {"63 char single label, constraint", strings.Repeat("a", 63), true, true},
++ {"64 char label, name", "a." + strings.Repeat("a", 64), false, false},
++ {"64 char label, constraint", "a." + strings.Repeat("a", 64), true, false},
++ {"63 char label, name", "a." + strings.Repeat("a", 63), false, true},
++ {"63 char label, constraint", "a." + strings.Repeat("a", 63), true, true},
++ } {
++ t.Run(tc.name, func(t *testing.T) {
++ if tc.valid != domainNameValid(tc.dnsName, tc.constraint) {
++ t.Errorf("domainNameValid(%q, %t) = %v; want %v", tc.dnsName, tc.constraint, !tc.valid, tc.valid)
++ }
++ })
++ }
++}
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 3e95808..fb2f4b2 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -357,6 +357,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
+ // domainToReverseLabels converts a textual domain name like foo.example.com to
+ // the list of labels in reverse order, e.g. ["com", "example", "foo"].
+ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
++ reverseLabels = make([]string, 0, strings.Count(domain, ".")+1)
+ for len(domain) > 0 {
+ if i := strings.LastIndexByte(domain, '.'); i == -1 {
+ reverseLabels = append(reverseLabels, domain)
+--
+2.40.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 07/10] go: fix CVE-2025-58189
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 06/10] go: fix CVE-2025-58187 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 08/10] go: fix CVE-2025-61723 Steve Sakoman
` (2 subsequent siblings)
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled
information (the ALPN protocols sent by the client) which is not escaped.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2025-58189.patch | 51 +++++++++++++++++++
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index c5aa3f9786..61fee12cf9 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -70,6 +70,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
file://CVE-2025-47906.patch \
file://CVE-2024-24783.patch \
file://CVE-2025-58187.patch \
+ file://CVE-2025-58189.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
new file mode 100644
index 0000000000..835f071733
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
@@ -0,0 +1,51 @@
+From 2e1e356e33b9c792a9643749a7626a1789197bb9 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 10:11:56 -0700
+Subject: [PATCH] crypto/tls: quote protocols in ALPN error message
+
+Quote the protocols sent by the client when returning the ALPN
+negotiation error message.
+
+Fixes CVE-2025-58189
+Updates #75652
+Fixes #75660
+
+Change-Id: Ie7b3a1ed0b6efcc1705b71f0f1e8417126661330
+Reviewed-on: https://go-review.googlesource.com/c/go/+/707776
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Nicholas Husin <nsh@golang.org>
+Auto-Submit: Nicholas Husin <nsh@golang.org>
+Reviewed-by: Nicholas Husin <husin@google.com>
+TryBot-Bypass: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
+(cherry picked from commit 4e9006a716533fe1c7ee08df02dfc73078f7dc19)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/708096
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2025-58189
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/crypto/tls/handshake_server.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
+index 4e84aa9..17b6891 100644
+--- a/src/crypto/tls/handshake_server.go
++++ b/src/crypto/tls/handshake_server.go
+@@ -312,7 +312,7 @@ func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, erro
+ if http11fallback {
+ return "", nil
+ }
+- return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
++ return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
+ }
+
+ // supportsECDHE returns whether ECDHE key exchanges can be used with this
+--
+2.40.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 08/10] go: fix CVE-2025-61723
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 07/10] go: fix CVE-2025-58189 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 09/10] go: fix CVE-2025-61724 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 10/10] systemd-bootchart: update SRC_URI branch Steve Sakoman
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2025-61723.patch | 221 ++++++++++++++++++
2 files changed, 222 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 61fee12cf9..b621fb189c 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -71,6 +71,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
file://CVE-2024-24783.patch \
file://CVE-2025-58187.patch \
file://CVE-2025-58189.patch \
+ file://CVE-2025-61723.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch
new file mode 100644
index 0000000000..8c838a6d8a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch
@@ -0,0 +1,221 @@
+From 74d4d836b91318a8764b94bc2b4b66ff599eb5f2 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 30 Sep 2025 11:16:56 -0700
+Subject: [PATCH] encoding/pem: make Decode complexity linear Because Decode
+ scanned the input first for the first BEGIN line, and then the first END
+ line, the complexity of Decode is quadratic. If the input contained a large
+ number of BEGINs and then a single END right at the end of the input, we
+ would find the first BEGIN, and then scan the entire input for the END, and
+ fail to parse the block, so move onto the next BEGIN, scan the entire input
+ for the END, etc.
+
+Instead, look for the first END in the input, and then the first BEGIN
+that precedes the found END. We then process the bytes between the BEGIN
+and END, and move onto the bytes after the END for further processing.
+This gives us linear complexity.
+
+Fixes CVE-2025-61723
+For #75676
+Fixes #75708
+
+Change-Id: I813c4f63e78bca4054226c53e13865c781564ccf
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2921
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2986
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709842
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2025-61723
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/encoding/pem/pem.go | 67 +++++++++++++++++++-----------------
+ src/encoding/pem/pem_test.go | 13 +++----
+ 2 files changed, 43 insertions(+), 37 deletions(-)
+
+diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
+index 1bee1c1..01bed75 100644
+--- a/src/encoding/pem/pem.go
++++ b/src/encoding/pem/pem.go
+@@ -35,7 +35,7 @@ type Block struct {
+ // line bytes. The remainder of the byte array (also not including the new line
+ // bytes) is also returned and this will always be smaller than the original
+ // argument.
+-func getLine(data []byte) (line, rest []byte) {
++func getLine(data []byte) (line, rest []byte, consumed int) {
+ i := bytes.IndexByte(data, '\n')
+ var j int
+ if i < 0 {
+@@ -47,7 +47,7 @@ func getLine(data []byte) (line, rest []byte) {
+ i--
+ }
+ }
+- return bytes.TrimRight(data[0:i], " \t"), data[j:]
++ return bytes.TrimRight(data[0:i], " \t"), data[j:], j
+ }
+
+ // removeSpacesAndTabs returns a copy of its input with all spaces and tabs
+@@ -88,19 +88,29 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ // the byte array, we'll accept the start string without it.
+ rest = data
+ for {
+- if bytes.HasPrefix(rest, pemStart[1:]) {
+- rest = rest[len(pemStart)-1:]
+- } else if i := bytes.Index(rest, pemStart); i >= 0 {
+- rest = rest[i+len(pemStart) : len(rest)]
+- } else {
++ // Find the first END line, and then find the last BEGIN line before
++ // the end line. This lets us skip any repeated BEGIN lines that don't
++ // have a matching END.
++ endIndex := bytes.Index(rest, pemEnd)
++ if endIndex < 0 {
+ return nil, data
+ }
+-
++ endTrailerIndex := endIndex + len(pemEnd)
++ beginIndex := bytes.LastIndex(rest[:endIndex], pemStart[1:])
++ if beginIndex < 0 || beginIndex > 0 && rest[beginIndex-1] != '\n' {
++ return nil, data
++ }
++ rest = rest[beginIndex+len(pemStart)-1:]
++ endIndex -= beginIndex + len(pemStart) - 1
++ endTrailerIndex -= beginIndex + len(pemStart) - 1
+ var typeLine []byte
+- typeLine, rest = getLine(rest)
++ var consumed int
++ typeLine, rest, consumed = getLine(rest)
+ if !bytes.HasSuffix(typeLine, pemEndOfLine) {
+ continue
+ }
++ endIndex -= consumed
++ endTrailerIndex -= consumed
+ typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]
+
+ p = &Block{
+@@ -114,7 +124,7 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ if len(rest) == 0 {
+ return nil, data
+ }
+- line, next := getLine(rest)
++ line, next, consumed := getLine(rest)
+
+ i := bytes.IndexByte(line, ':')
+ if i == -1 {
+@@ -127,21 +137,13 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ val = bytes.TrimSpace(val)
+ p.Headers[string(key)] = string(val)
+ rest = next
++ endIndex -= consumed
++ endTrailerIndex -= consumed
+ }
+
+- var endIndex, endTrailerIndex int
+-
+- // If there were no headers, the END line might occur
+- // immediately, without a leading newline.
+- if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
+- endIndex = 0
+- endTrailerIndex = len(pemEnd) - 1
+- } else {
+- endIndex = bytes.Index(rest, pemEnd)
+- endTrailerIndex = endIndex + len(pemEnd)
+- }
+-
+- if endIndex < 0 {
++ // If there were headers, there must be a newline between the headers
++ // and the END line, so endIndex should be >= 0.
++ if len(p.Headers) > 0 && endIndex < 0 {
+ continue
+ }
+
+@@ -161,21 +163,24 @@ func Decode(data []byte) (p *Block, rest []byte) {
+ }
+
+ // The line must end with only whitespace.
+- if s, _ := getLine(restOfEndLine); len(s) != 0 {
++ if s, _, _ := getLine(restOfEndLine); len(s) != 0 {
+ continue
+ }
+
+- base64Data := removeSpacesAndTabs(rest[:endIndex])
+- p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
+- n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
+- if err != nil {
+- continue
++ p.Bytes = []byte{}
++ if endIndex > 0 {
++ base64Data := removeSpacesAndTabs(rest[:endIndex])
++ p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
++ n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
++ if err != nil {
++ continue
++ }
++ p.Bytes = p.Bytes[:n]
+ }
+- p.Bytes = p.Bytes[:n]
+
+ // the -1 is because we might have only matched pemEnd without the
+ // leading newline if the PEM block was empty.
+- _, rest = getLine(rest[endIndex+len(pemEnd)-1:])
++ _, rest, _ = getLine(rest[endIndex+len(pemEnd)-1:])
+ return p, rest
+ }
+ }
+diff --git a/src/encoding/pem/pem_test.go b/src/encoding/pem/pem_test.go
+index c94b5ca..a326f9b 100644
+--- a/src/encoding/pem/pem_test.go
++++ b/src/encoding/pem/pem_test.go
+@@ -34,7 +34,7 @@ var getLineTests = []GetLineTest{
+
+ func TestGetLine(t *testing.T) {
+ for i, test := range getLineTests {
+- x, y := getLine([]byte(test.in))
++ x, y, _ := getLine([]byte(test.in))
+ if string(x) != test.out1 || string(y) != test.out2 {
+ t.Errorf("#%d got:%+v,%+v want:%s,%s", i, x, y, test.out1, test.out2)
+ }
+@@ -46,6 +46,7 @@ func TestDecode(t *testing.T) {
+ if !reflect.DeepEqual(result, certificate) {
+ t.Errorf("#0 got:%#v want:%#v", result, certificate)
+ }
++
+ result, remainder = Decode(remainder)
+ if !reflect.DeepEqual(result, privateKey) {
+ t.Errorf("#1 got:%#v want:%#v", result, privateKey)
+@@ -68,7 +69,7 @@ func TestDecode(t *testing.T) {
+ }
+
+ result, remainder = Decode(remainder)
+- if result == nil || result.Type != "HEADERS" || len(result.Headers) != 1 {
++ if result == nil || result.Type != "VALID HEADERS" || len(result.Headers) != 1 {
+ t.Errorf("#5 expected single header block but got :%v", result)
+ }
+
+@@ -381,15 +382,15 @@ ZWAaUoVtWIQ52aKS0p19G99hhb+IVANC4akkdHV4SP8i7MVNZhfUmg==
+
+ # This shouldn't be recognised because of the missing newline after the
+ headers.
+------BEGIN HEADERS-----
++-----BEGIN INVALID HEADERS-----
+ Header: 1
+------END HEADERS-----
++-----END INVALID HEADERS-----
+
+ # This should be valid, however.
+------BEGIN HEADERS-----
++-----BEGIN VALID HEADERS-----
+ Header: 1
+
+------END HEADERS-----`)
++-----END VALID HEADERS-----`)
+
+ var certificate = &Block{Type: "CERTIFICATE",
+ Headers: map[string]string{},
+--
+2.40.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 09/10] go: fix CVE-2025-61724
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 08/10] go: fix CVE-2025-61723 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 10/10] systemd-bootchart: update SRC_URI branch Steve Sakoman
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
The Reader.ReadResponse function constructs a response string through repeated
string concatenation of lines. When the number of lines in a response is large,
this can cause excessive CPU consumption.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2025-61724.patch | 74 +++++++++++++++++++
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index b621fb189c..bb5e839950 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -72,6 +72,7 @@ SRC_URI = "https://golang.org/dl/go${PV}.src.tar.gz;name=main \
file://CVE-2025-58187.patch \
file://CVE-2025-58189.patch \
file://CVE-2025-61723.patch \
+ file://CVE-2025-61724.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch
new file mode 100644
index 0000000000..8c63022909
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch
@@ -0,0 +1,74 @@
+From a402f4ad285514f5f3db90516d72047d591b307a Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 30 Sep 2025 15:11:16 -0700
+Subject: [PATCH] net/textproto: avoid quadratic complexity in
+ Reader.ReadResponse Reader.ReadResponse constructed a response string from
+ repeated string concatenation, permitting a malicious sender to cause
+ excessive memory allocation and CPU consumption by sending a response
+ consisting of many short lines.
+
+Use a strings.Builder to construct the string instead.
+
+Thanks to Jakub Ciolek for reporting this issue.
+
+Fixes CVE-2025-61724
+For #75716
+Fixes #75717
+
+Change-Id: I1a98ce85a21b830cb25799f9ac9333a67400d736
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2940
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2980
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/709837
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Michael Pratt <mpratt@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+
+CVE: CVE-2025-61724
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/net/textproto/reader.go | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index 3ac4d4d..a996257 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -288,8 +288,10 @@ func (r *Reader) ReadCodeLine(expectCode int) (code int, message string, err err
+ // An expectCode <= 0 disables the check of the status code.
+ //
+ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err error) {
+- code, continued, message, err := r.readCodeLine(expectCode)
++ code, continued, first, err := r.readCodeLine(expectCode)
+ multi := continued
++ var messageBuilder strings.Builder
++ messageBuilder.WriteString(first)
+ for continued {
+ line, err := r.ReadLine()
+ if err != nil {
+@@ -300,12 +302,15 @@ func (r *Reader) ReadResponse(expectCode int) (code int, message string, err err
+ var moreMessage string
+ code2, continued, moreMessage, err = parseCodeLine(line, 0)
+ if err != nil || code2 != code {
+- message += "\n" + strings.TrimRight(line, "\r\n")
++ messageBuilder.WriteByte('\n')
++ messageBuilder.WriteString(strings.TrimRight(line, "\r\n"))
+ continued = true
+ continue
+ }
+- message += "\n" + moreMessage
++ messageBuilder.WriteByte('\n')
++ messageBuilder.WriteString(moreMessage)
+ }
++ message = messageBuilder.String()
+ if err != nil && multi && message != "" {
+ // replace one line error message with all lines (full message)
+ err = &Error{code, message}
+--
+2.40.0
+
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 10/10] systemd-bootchart: update SRC_URI branch
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-12-02 15:09 ` [OE-core][kirkstone 09/10] go: fix CVE-2025-61724 Steve Sakoman
@ 2025-12-02 15:09 ` Steve Sakoman
9 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-02 15:09 UTC (permalink / raw)
To: openembedded-core
From: Gyorgy Sarvari <skandigraun@gmail.com>
The branch was renamed from master to main.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb
index bc3eee2093..98237aba65 100644
--- a/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb
+++ b/meta/recipes-devtools/systemd-bootchart/systemd-bootchart_234.bb
@@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-only & GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c \
file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe"
-SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=master \
+SRC_URI = "git://github.com/systemd/systemd-bootchart.git;protocol=https;branch=main \
file://0001-architecture-Recognise-RISCV-32-RISCV-64.patch \
file://mips64.patch \
file://no_lto.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/10] Patch review
@ 2025-12-23 21:25 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-12-23 21:25 UTC (permalink / raw)
To: openembedded-core
Please review this set of hcanges for kirkstone and have comments back by
end of day Tuesday, December 30
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2920
The following changes since commit 2ed3f8b938579dbbb804e04c45a968cc57761db7:
build-appliance-image: Update to kirkstone head revision (2025-12-12 08:52:06 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 4.0.31
Changqing Li (1):
libsoup: fix CVE-2025-12105
Deepesh Varatharajan (1):
binutils: Fix CVE-2025-11494
Kai Kang (1):
qemu: fix CVE-2025-12464
Libo Chen (1):
go: Fix CVE-2023-39323
Liyin Zhang (1):
rsync: fix CVE-2025-10158
Martin Jansa (1):
cross.bbclass: Propagate dependencies to outhash
Mingli Yu (1):
libxslt: Fix CVE-2025-11731
Yash Shinde (2):
binutils: fix CVE-2025-11839
binutils: fix CVE-2025-11840
meta/classes/cross.bbclass | 36 ++++++++++
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0048-CVE-2025-11494.patch | 43 ++++++++++++
.../binutils/0049-CVE-2025-11839.patch | 32 +++++++++
.../binutils/0050-CVE-2025-11840.patch | 37 ++++++++++
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2023-39323.patch | 55 +++++++++++++++
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2025-12464.patch | 70 +++++++++++++++++++
.../rsync/files/CVE-2025-10158.patch | 36 ++++++++++
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 +
.../libsoup/libsoup/CVE-2025-12105.patch | 34 +++++++++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 +
.../libxslt/libxslt/CVE-2025-11731.patch | 42 +++++++++++
.../recipes-support/libxslt/libxslt_1.1.35.bb | 1 +
scripts/install-buildtools | 4 +-
16 files changed, 395 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0048-CVE-2025-11494.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0049-CVE-2025-11839.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0050-CVE-2025-11840.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-12105.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2025-12-23 21:26 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-02 15:09 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 01/10] gnutls: patch CVE-2025-9820 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 02/10] libpng: patch CVE-2025-64505 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 03/10] libpng: patch CVE-2025-64506 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 04/10] libpng: patch CVE-2025-64720 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 05/10] libpng: patch CVE-2025-65018 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 06/10] go: fix CVE-2025-58187 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 07/10] go: fix CVE-2025-58189 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 08/10] go: fix CVE-2025-61723 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 09/10] go: fix CVE-2025-61724 Steve Sakoman
2025-12-02 15:09 ` [OE-core][kirkstone 10/10] systemd-bootchart: update SRC_URI branch Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-12-23 21:25 [OE-core][kirkstone 00/10] Patch review Steve Sakoman
2025-11-13 21:47 Steve Sakoman
2025-07-30 19:05 Steve Sakoman
2025-07-27 20:04 Steve Sakoman
2025-05-30 15:39 Steve Sakoman
2025-04-08 20:50 Steve Sakoman
2024-04-16 12:06 Steve Sakoman
2023-10-18 15:48 Steve Sakoman
2023-10-03 19:36 Steve Sakoman
2023-08-03 14:04 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox