diff --git a/recipes-connectivity/openssl/openssl/CVE-2025-15467_3.0.5_fix.patch b/recipes-connectivity/openssl/openssl/CVE-2025-15467_3.0.5_fix.patch new file mode 100644 index 00000000..85b5530d --- /dev/null +++ b/recipes-connectivity/openssl/openssl/CVE-2025-15467_3.0.5_fix.patch @@ -0,0 +1,30 @@ +From df24df430af3532c24d8c47a430555fd9f3d890e Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Thu, 5 Feb 2026 09:09:13 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://github.com/openssl/openssl/commit/0ddd6b6bcbdedbe2c8304af05771f8ab11939112 +CVE : CVE-2025-15467 + +Signed-off-by: skondu363 +--- + crypto/evp/evp_lib.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c +index b918081..f833bbb 100644 +--- a/crypto/evp/evp_lib.c ++++ b/crypto/evp/evp_lib.c +@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type, + if (type == NULL || asn1_params == NULL) + return 0; + +- i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH); +- if (i <= 0) ++ i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH); ++ if (i <= 0 || i > EVP_MAX_IV_LENGTH) + return -1; +- ossl_asn1_type_get_octetstring_int(type, &tl, iv, i); + + memcpy(asn1_params->iv, iv, i); + asn1_params->iv_len = i; diff --git a/recipes-connectivity/openssl/openssl_3.0.%.bbappend b/recipes-connectivity/openssl/openssl_3.0.%.bbappend index 65dd7813..4c6ab77f 100644 --- a/recipes-connectivity/openssl/openssl_3.0.%.bbappend +++ b/recipes-connectivity/openssl/openssl_3.0.%.bbappend @@ -37,6 +37,7 @@ LOGROTATE_ROTATION_MEM_sslendpoint="3" FILESEXTRAPATHS:prepend:="${THISDIR}/${PN}:" SRC_URI += " file://openssl-c_rehash.sh \ + file://CVE-2025-15467_3.0.5_fix.patch \ " PTEST_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'benchmark_enable', '1', '0', d)}" diff --git a/recipes-core/busybox/busybox/CVE-2025-46394_1.35_fix.patch b/recipes-core/busybox/busybox/CVE-2025-46394_1.35_fix.patch new file mode 100644 index 00000000..41450534 --- /dev/null +++ b/recipes-core/busybox/busybox/CVE-2025-46394_1.35_fix.patch @@ -0,0 +1,38 @@ +From 4333a6788d6b4f2ab22aa570e2d0f0ebcff07817 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 06:25:25 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://patchwork.yoctoproject.org/project/oe-core/patch/20250928221332.1308547-1-peter.marko@siemens.com/#31415 +CVE : CVE-2025-46394 + +Signed-off-by: skondu363 +--- + archival/libarchive/header_list.c | 2 +- + archival/libarchive/header_verbose_list.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c +index 0621aa4..9490b36 100644 +--- a/archival/libarchive/header_list.c ++++ b/archival/libarchive/header_list.c +@@ -8,5 +8,5 @@ + void FAST_FUNC header_list(const file_header_t *file_header) + { + //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */ +- puts(file_header->name); ++ puts(printable_string(file_header->name)); + } +diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c +index a575a08..baedf75 100644 +--- a/archival/libarchive/header_verbose_list.c ++++ b/archival/libarchive/header_verbose_list.c +@@ -40,7 +40,7 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header) + ptm->tm_hour, + ptm->tm_min, + ptm->tm_sec, +- file_header->name); ++ printable_string(file_header->name)); + + #else /* !FEATURE_TAR_UNAME_GNAME */ + diff --git a/recipes-core/busybox/busybox_1.35%.bbappend b/recipes-core/busybox/busybox_1.35%.bbappend new file mode 100644 index 00000000..81bbb1bf --- /dev/null +++ b/recipes-core/busybox/busybox_1.35%.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:" + +SRC_URI += " file://CVE-2025-46394_1.35_fix.patch \ + " diff --git a/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533_2.74_fix.patch b/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533_2.74_fix.patch new file mode 100644 index 00000000..fb973887 --- /dev/null +++ b/recipes-core/glib-2.0/glib-2.0/CVE-2024-52533_2.74_fix.patch @@ -0,0 +1,29 @@ +From df1c6f3b0dcadc33eadbdff9213b255aa178d8c2 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 07:39:46 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://gitlab.gnome.org/GNOME/glib/-/commit/25833cefda24c60af913d6f2d532b5afd608b821 +CVE : CVE-2024-52533 + +Signed-off-by: skondu363 +--- + gio/gsocks4aproxy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c +index 3dad118..b3146d0 100644 +--- a/gio/gsocks4aproxy.c ++++ b/gio/gsocks4aproxy.c +@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy) + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ + * | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL | + * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+ +- * 1 1 2 4 variable 1 variable ++ * 1 1 2 4 variable 1 variable 1 + */ +-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2) ++#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2) + static gint + set_connect_msg (guint8 *msg, + const gchar *hostname, diff --git a/recipes-core/glib-2.0/glib-2.0/CVE-2025-4056_2.74_fix.patch b/recipes-core/glib-2.0/glib-2.0/CVE-2025-4056_2.74_fix.patch new file mode 100644 index 00000000..d3bbc3e0 --- /dev/null +++ b/recipes-core/glib-2.0/glib-2.0/CVE-2025-4056_2.74_fix.patch @@ -0,0 +1,44 @@ +From 5c1c14f220c7f431cb451f9f5174a2386e398a27 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 08:09:29 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570/diffs.patch +CVE : CVE-2025-4056 + +Signed-off-by: skondu363 +--- + glib/gspawn-win32-helper.c | 4 ++-- + glib/gspawn-win32.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/glib/gspawn-win32-helper.c b/glib/gspawn-win32-helper.c +index 72b49ba..dddd9d8 100644 +--- a/glib/gspawn-win32-helper.c ++++ b/glib/gspawn-win32-helper.c +@@ -94,8 +94,8 @@ protect_wargv (gint argc, + { + wchar_t *p = wargv[i]; + wchar_t *q; +- gint len = 0; +- gint pre_bslash = 0; ++ size_t len = 0; ++ size_t pre_bslash = 0; + gboolean need_dblquotes = FALSE; + while (*p) + { +diff --git a/glib/gspawn-win32.c b/glib/gspawn-win32.c +index 7fa5e26..e4b402f 100644 +--- a/glib/gspawn-win32.c ++++ b/glib/gspawn-win32.c +@@ -174,8 +174,8 @@ protect_argv_string (const gchar *string) + { + const gchar *p = string; + gchar *retval, *q; +- gint len = 0; +- gint pre_bslash = 0; ++ size_t len = 0; ++ size_t pre_bslash = 0; + gboolean need_dblquotes = FALSE; + while (*p) + { diff --git a/recipes-core/glib-2.0/glib-2.0_2.7%.bbappend b/recipes-core/glib-2.0/glib-2.0_2.7%.bbappend index fd2f7356..7b5f0bd6 100644 --- a/recipes-core/glib-2.0/glib-2.0_2.7%.bbappend +++ b/recipes-core/glib-2.0/glib-2.0_2.7%.bbappend @@ -10,5 +10,7 @@ RDEPENDS:${PN}-utils += "libelf" SRC_URI:append = " \ file://0001-Fix-passing-NULL-to-g_task_get_cancellable.patch \ file://0001-RDKTV-35445-Fix-localhost-DNS-resolution.patch \ + file://CVE-2024-52533_2.74_fix.patch \ + file://CVE-2025-4056_2.74_fix.patch \ " diff --git a/recipes-core/libxml2/libxml2/CVE-2025-24928_2.9.14_fix.patch b/recipes-core/libxml2/libxml2/CVE-2025-24928_2.9.14_fix.patch new file mode 100644 index 00000000..bd296369 --- /dev/null +++ b/recipes-core/libxml2/libxml2/CVE-2025-24928_2.9.14_fix.patch @@ -0,0 +1,54 @@ +From fb535342c9cd0ba411c4c65e4e8147f77dfe804c Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Thu, 5 Feb 2026 08:40:28 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://gitlab.gnome.org/GNOME/libxml2/-/commit/8c8753ad5280ee13aee5eec9b0f6eee2ed920f57.patch +CVE : CVE-2025-24928 + +Signed-off-by: skondu363 +--- + valid.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/valid.c b/valid.c +index ed3c850..c69093f 100644 +--- a/valid.c ++++ b/valid.c +@@ -5259,25 +5259,25 @@ xmlSnprintfElements(char *buf, int size, xmlNodePtr node, int glob) { + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; diff --git a/recipes-core/libxml2/libxml2/CVE-2025-6021_2.9.14_fix.patch b/recipes-core/libxml2/libxml2/CVE-2025-6021_2.9.14_fix.patch new file mode 100644 index 00000000..7e07d5a0 --- /dev/null +++ b/recipes-core/libxml2/libxml2/CVE-2025-6021_2.9.14_fix.patch @@ -0,0 +1,47 @@ +From a0ed04217e2dcdcd617c8f8a8be0819460f490c6 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Thu, 5 Feb 2026 08:04:17 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://gitlab.gnome.org/GNOME/libxml2/-/commit/ad346c9a249c4b380bf73c460ad3e81135c5d781 + CVE : CVE-2025-6021 + +Signed-off-by: skondu363 +--- + tree.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tree.c b/tree.c +index f837932..3cc026d 100644 +--- a/tree.c ++++ b/tree.c +@@ -21,6 +21,7 @@ + #include /* for memset() only ! */ + #include + #include ++#include + #ifdef HAVE_CTYPE_H + #include + #endif +@@ -222,16 +223,18 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) { + xmlChar * + xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix, + xmlChar *memory, int len) { +- int lenn, lenp; ++ size_t lenn, lenp; + xmlChar *ret; + +- if (ncname == NULL) return(NULL); ++ if ((ncname == NULL) || (len < 0)) return(NULL); + if (prefix == NULL) return((xmlChar *) ncname); + + lenn = strlen((char *) ncname); + lenp = strlen((char *) prefix); ++ if (lenn >= SIZE_MAX - lenp - 1) ++ return(NULL); + +- if ((memory == NULL) || (len < lenn + lenp + 2)) { ++ if ((memory == NULL) || ((size_t)len < lenn + lenp + 2)) { + ret = (xmlChar *) xmlMallocAtomic(lenn + lenp + 2); + if (ret == NULL) { + xmlTreeErrMemory("building QName"); diff --git a/recipes-core/libxml2/libxml2/CVE-2025-9714_2.9.14_fix.patch b/recipes-core/libxml2/libxml2/CVE-2025-9714_2.9.14_fix.patch new file mode 100644 index 00000000..2087ecc1 --- /dev/null +++ b/recipes-core/libxml2/libxml2/CVE-2025-9714_2.9.14_fix.patch @@ -0,0 +1,110 @@ +From 8b45761e6ea0bb7eeb466d8597207655310fec33 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 08:40:29 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21 +CVE : CVE-2025-9714 + +Signed-off-by: skondu363 +--- + xpath.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index c2d8458..028471d 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13883,12 +13883,11 @@ static int + xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + { + xmlXPathCompExprPtr comp; ++ int oldDepth; + + if ((ctxt == NULL) || (ctxt->comp == NULL)) + return(-1); + +- ctxt->context->depth = 0; +- + if (ctxt->valueTab == NULL) { + /* Allocate the value stack */ + ctxt->valueTab = (xmlXPathObjectPtr *) +@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool) + "xmlXPathRunEval: last is less than zero\n"); + return(-1); + } ++ oldDepth = ctxt->context->depth; + if (toBool) + return(xmlXPathCompOpEvalToBoolean(ctxt, + &comp->steps[comp->last], 0)); + else + xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]); ++ ctxt->context->depth = oldDepth; + + return(0); + } +@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr + xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + xmlXPathParserContextPtr pctxt; + xmlXPathCompExprPtr comp; ++ int oldDepth = 0; + + #ifdef XPATH_STREAMING + comp = xmlXPathTryStreamCompile(ctxt, str); +@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + if (pctxt == NULL) + return NULL; + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathCompileExpr(pctxt, 1); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + + if( pctxt->error != XPATH_EXPRESSION_OK ) + { +@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) { + comp = pctxt->comp; + if ((comp->nbStep > 1) && (comp->last >= 0)) { + if (ctxt != NULL) +- ctxt->depth = 0; ++ oldDepth = ctxt->depth; + xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]); ++ if (ctxt != NULL) ++ ctxt->depth = oldDepth; + } + pctxt->comp = NULL; + } +@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #ifdef XPATH_STREAMING + xmlXPathCompExprPtr comp; + #endif ++ int oldDepth = 0; + + if (ctxt == NULL) return; + +@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + #endif + { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathCompileExpr(ctxt, 1); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + CHECK_ERROR; + + /* Check for trailing characters. */ +@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) { + + if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) { + if (ctxt->context != NULL) +- ctxt->context->depth = 0; ++ oldDepth = ctxt->context->depth; + xmlXPathOptimizeExpression(ctxt, + &ctxt->comp->steps[ctxt->comp->last]); ++ if (ctxt->context != NULL) ++ ctxt->context->depth = oldDepth; + } + } + diff --git a/recipes-core/libxml2/libxml2_2.9.14.bbappend b/recipes-core/libxml2/libxml2_2.9.14.bbappend index b1728153..4c38824f 100644 --- a/recipes-core/libxml2/libxml2_2.9.14.bbappend +++ b/recipes-core/libxml2/libxml2_2.9.14.bbappend @@ -1,4 +1,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI:append = " file://CVE-2025-27113_2.9.14_fix.patch \ + file://CVE-2025-9714_2.9.14_fix.patch \ + file://CVE-2025-6021_2.9.14_fix.patch \ + file://CVE-2025-24928_2.9.14_fix.patch \ " diff --git a/recipes-support/cjson/cjson_1.7%.bbappend b/recipes-support/cjson/cjson_1.7%.bbappend new file mode 100644 index 00000000..2f1e4e7b --- /dev/null +++ b/recipes-support/cjson/cjson_1.7%.bbappend @@ -0,0 +1,4 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" + + +SRC_URI:append = " file://CVE-2025-57052_1.7.15_fix.patch" diff --git a/recipes-support/cjson/files/CVE-2025-57052_1.7.15_fix.patch b/recipes-support/cjson/files/CVE-2025-57052_1.7.15_fix.patch new file mode 100644 index 00000000..5df108de --- /dev/null +++ b/recipes-support/cjson/files/CVE-2025-57052_1.7.15_fix.patch @@ -0,0 +1,26 @@ +From e6e611413e310bcd4fc6b99062d8dd9b7591bab4 Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 06:52:38 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa4139126967f6d289b675b4b36fef.patch +CVE: CVE-2025-57052 + +Signed-off-by: skondu363 +--- + cJSON_Utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cJSON_Utils.c b/cJSON_Utils.c +index c7c6439..95b4e19 100644 +--- a/cJSON_Utils.c ++++ b/cJSON_Utils.c +@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po + return 0; + } + +- for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++) ++ for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++) + { + parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0'); + diff --git a/recipes-support/curl/curl_7.82%.bbappend b/recipes-support/curl/curl_7.82%.bbappend index 810679f0..474d0b06 100644 --- a/recipes-support/curl/curl_7.82%.bbappend +++ b/recipes-support/curl/curl_7.82%.bbappend @@ -1,6 +1,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}_${PV}:" -SRC_URI:append = " file://ocsp_request_to_CA_Directly_curl_7.82.patch" +SRC_URI:append = " file://ocsp_request_to_CA_Directly_curl_7.82.patch \ + file://CVE-2025-0725_7.82_fix.patch \ +" CURLGNUTLS = "--without-gnutls --with-ssl" DEPENDS += " openssl" diff --git a/recipes-support/curl/curl_7.82%/CVE-2025-0725_7.82_fix.patch b/recipes-support/curl/curl_7.82%/CVE-2025-0725_7.82_fix.patch new file mode 100644 index 00000000..79fe3181 --- /dev/null +++ b/recipes-support/curl/curl_7.82%/CVE-2025-0725_7.82_fix.patch @@ -0,0 +1,347 @@ +From 8b1173d2fbe856ad7fea6027f5cd3c716a13229e Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Fri, 6 Feb 2026 05:27:33 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://github.com/curl/curl/commit/76f83f0db23846e254d940ec7 CVE : + CVE-2025-0725 + +Signed-off-by: skondu363 +--- + docs/INTERNALS.md | 2 +- + lib/content_encoding.c | 233 ++--------------------------------------- + 2 files changed, 8 insertions(+), 227 deletions(-) + +diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md +index c9fe47e..e4a7ae0 100644 +--- a/docs/INTERNALS.md ++++ b/docs/INTERNALS.md +@@ -20,7 +20,7 @@ versions of libs, tools and operating systems. + + - OpenSSL 0.9.7 + - GnuTLS 3.1.10 +- - zlib 1.1.4 ++ - zlib 1.2.0.4 + - libssh2 1.0 + - c-ares 1.16.0 + - libidn2 2.0.0 +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index 29dc660..6b5573f 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -52,31 +52,14 @@ + + #define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */ + +- + #ifdef HAVE_LIBZ + +-/* Comment this out if zlib is always going to be at least ver. 1.2.0.4 +- (doing so will reduce code size slightly). */ +-#define OLD_ZLIB_SUPPORT 1 +- +-#define GZIP_MAGIC_0 0x1f +-#define GZIP_MAGIC_1 0x8b +- +-/* gzip flag byte */ +-#define ASCII_FLAG 0x01 /* bit 0 set: file probably ascii text */ +-#define HEAD_CRC 0x02 /* bit 1 set: header CRC present */ +-#define EXTRA_FIELD 0x04 /* bit 2 set: extra field present */ +-#define ORIG_NAME 0x08 /* bit 3 set: original file name present */ +-#define COMMENT 0x10 /* bit 4 set: file comment present */ +-#define RESERVED 0xE0 /* bits 5..7: reserved */ + + typedef enum { + ZLIB_UNINIT, /* uninitialized */ + ZLIB_INIT, /* initialized */ + ZLIB_INFLATING, /* inflating started. */ + ZLIB_EXTERNAL_TRAILER, /* reading external trailer */ +- ZLIB_GZIP_HEADER, /* reading gzip header */ +- ZLIB_GZIP_INFLATING, /* inflating gzip stream */ + ZLIB_INIT_GZIP /* initialized in transparent gzip mode */ + } zlibInitState; + +@@ -120,8 +103,6 @@ static CURLcode + exit_zlib(struct Curl_easy *data, + z_stream *z, zlibInitState *zlib_init, CURLcode result) + { +- if(*zlib_init == ZLIB_GZIP_HEADER) +- Curl_safefree(z->next_in); + + if(*zlib_init != ZLIB_UNINIT) { + if(inflateEnd(z) != Z_OK && result == CURLE_OK) +@@ -171,8 +152,7 @@ static CURLcode inflate_stream(struct Curl_easy *data, + /* Check state. */ + if(zp->zlib_init != ZLIB_INIT && + zp->zlib_init != ZLIB_INFLATING && +- zp->zlib_init != ZLIB_INIT_GZIP && +- zp->zlib_init != ZLIB_GZIP_INFLATING) ++ zp->zlib_init != ZLIB_INIT_GZIP) + return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR); + + /* Dynamically allocate a buffer for decompression because it's uncommonly +@@ -322,6 +302,7 @@ static CURLcode gzip_init_writer(struct Curl_easy *data, + { + struct zlib_params *zp = (struct zlib_params *) &writer->params; + z_stream *z = &zp->z; /* zlib state structure */ ++ const char *v = zlibVersion(); + + if(!writer->downstream) + return CURLE_WRITE_ERROR; +@@ -330,109 +311,21 @@ static CURLcode gzip_init_writer(struct Curl_easy *data, + z->zalloc = (alloc_func) zalloc_cb; + z->zfree = (free_func) zfree_cb; + +- if(strcmp(zlibVersion(), "1.2.0.4") >= 0) { +- /* zlib ver. >= 1.2.0.4 supports transparent gzip decompressing */ ++ if(strcmp(v, "1.2.0.4") >= 0) { ++ /* zlib version >= 1.2.0.4 supports transparent gzip decompressing */ + if(inflateInit2(z, MAX_WBITS + 32) != Z_OK) { + return process_zlib_error(data, z); + } + zp->zlib_init = ZLIB_INIT_GZIP; /* Transparent gzip decompress state */ + } + else { +- /* we must parse the gzip header and trailer ourselves */ +- if(inflateInit2(z, -MAX_WBITS) != Z_OK) { +- return process_zlib_error(data, z); +- } +- zp->trailerlen = 8; /* A CRC-32 and a 32-bit input size (RFC 1952, 2.2) */ +- zp->zlib_init = ZLIB_INIT; /* Initial call state */ ++ failf(data, "too old zlib version: %s", v); ++ return CURLE_FAILED_INIT; + } + + return CURLE_OK; + } + +-#ifdef OLD_ZLIB_SUPPORT +-/* Skip over the gzip header */ +-static enum { +- GZIP_OK, +- GZIP_BAD, +- GZIP_UNDERFLOW +-} check_gzip_header(unsigned char const *data, ssize_t len, ssize_t *headerlen) +-{ +- int method, flags; +- const ssize_t totallen = len; +- +- /* The shortest header is 10 bytes */ +- if(len < 10) +- return GZIP_UNDERFLOW; +- +- if((data[0] != GZIP_MAGIC_0) || (data[1] != GZIP_MAGIC_1)) +- return GZIP_BAD; +- +- method = data[2]; +- flags = data[3]; +- +- if(method != Z_DEFLATED || (flags & RESERVED) != 0) { +- /* Can't handle this compression method or unknown flag */ +- return GZIP_BAD; +- } +- +- /* Skip over time, xflags, OS code and all previous bytes */ +- len -= 10; +- data += 10; +- +- if(flags & EXTRA_FIELD) { +- ssize_t extra_len; +- +- if(len < 2) +- return GZIP_UNDERFLOW; +- +- extra_len = (data[1] << 8) | data[0]; +- +- if(len < (extra_len + 2)) +- return GZIP_UNDERFLOW; +- +- len -= (extra_len + 2); +- data += (extra_len + 2); +- } +- +- if(flags & ORIG_NAME) { +- /* Skip over NUL-terminated file name */ +- while(len && *data) { +- --len; +- ++data; +- } +- if(!len || *data) +- return GZIP_UNDERFLOW; +- +- /* Skip over the NUL */ +- --len; +- ++data; +- } +- +- if(flags & COMMENT) { +- /* Skip over NUL-terminated comment */ +- while(len && *data) { +- --len; +- ++data; +- } +- if(!len || *data) +- return GZIP_UNDERFLOW; +- +- /* Skip over the NUL */ +- --len; +- } +- +- if(flags & HEAD_CRC) { +- if(len < 2) +- return GZIP_UNDERFLOW; +- +- len -= 2; +- } +- +- *headerlen = totallen - len; +- return GZIP_OK; +-} +-#endif +- + static CURLcode gzip_unencode_write(struct Curl_easy *data, + struct contenc_writer *writer, + const char *buf, size_t nbytes) +@@ -448,117 +341,8 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data, + return inflate_stream(data, writer, ZLIB_INIT_GZIP); + } + +-#ifndef OLD_ZLIB_SUPPORT +- /* Support for old zlib versions is compiled away and we are running with +- an old version, so return an error. */ ++ /* We are running with an old version: return error. */ + return exit_zlib(data, z, &zp->zlib_init, CURLE_WRITE_ERROR); +- +-#else +- /* This next mess is to get around the potential case where there isn't +- * enough data passed in to skip over the gzip header. If that happens, we +- * malloc a block and copy what we have then wait for the next call. If +- * there still isn't enough (this is definitely a worst-case scenario), we +- * make the block bigger, copy the next part in and keep waiting. +- * +- * This is only required with zlib versions < 1.2.0.4 as newer versions +- * can handle the gzip header themselves. +- */ +- +- switch(zp->zlib_init) { +- /* Skip over gzip header? */ +- case ZLIB_INIT: +- { +- /* Initial call state */ +- ssize_t hlen; +- +- switch(check_gzip_header((unsigned char *) buf, nbytes, &hlen)) { +- case GZIP_OK: +- z->next_in = (Bytef *) buf + hlen; +- z->avail_in = (uInt) (nbytes - hlen); +- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */ +- break; +- +- case GZIP_UNDERFLOW: +- /* We need more data so we can find the end of the gzip header. It's +- * possible that the memory block we malloc here will never be freed if +- * the transfer abruptly aborts after this point. Since it's unlikely +- * that circumstances will be right for this code path to be followed in +- * the first place, and it's even more unlikely for a transfer to fail +- * immediately afterwards, it should seldom be a problem. +- */ +- z->avail_in = (uInt) nbytes; +- z->next_in = malloc(z->avail_in); +- if(!z->next_in) { +- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY); +- } +- memcpy(z->next_in, buf, z->avail_in); +- zp->zlib_init = ZLIB_GZIP_HEADER; /* Need more gzip header data state */ +- /* We don't have any data to inflate yet */ +- return CURLE_OK; +- +- case GZIP_BAD: +- default: +- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z)); +- } +- +- } +- break; +- +- case ZLIB_GZIP_HEADER: +- { +- /* Need more gzip header data state */ +- ssize_t hlen; +- z->avail_in += (uInt) nbytes; +- z->next_in = Curl_saferealloc(z->next_in, z->avail_in); +- if(!z->next_in) { +- return exit_zlib(data, z, &zp->zlib_init, CURLE_OUT_OF_MEMORY); +- } +- /* Append the new block of data to the previous one */ +- memcpy(z->next_in + z->avail_in - nbytes, buf, nbytes); +- +- switch(check_gzip_header(z->next_in, z->avail_in, &hlen)) { +- case GZIP_OK: +- /* This is the zlib stream data */ +- free(z->next_in); +- /* Don't point into the malloced block since we just freed it */ +- z->next_in = (Bytef *) buf + hlen + nbytes - z->avail_in; +- z->avail_in = (uInt) (z->avail_in - hlen); +- zp->zlib_init = ZLIB_GZIP_INFLATING; /* Inflating stream state */ +- break; +- +- case GZIP_UNDERFLOW: +- /* We still don't have any data to inflate! */ +- return CURLE_OK; +- +- case GZIP_BAD: +- default: +- return exit_zlib(data, z, &zp->zlib_init, process_zlib_error(data, z)); +- } +- +- } +- break; +- +- case ZLIB_EXTERNAL_TRAILER: +- z->next_in = (Bytef *) buf; +- z->avail_in = (uInt) nbytes; +- return process_trailer(data, zp); +- +- case ZLIB_GZIP_INFLATING: +- default: +- /* Inflating stream state */ +- z->next_in = (Bytef *) buf; +- z->avail_in = (uInt) nbytes; +- break; +- } +- +- if(z->avail_in == 0) { +- /* We don't have any data to inflate; wait until next time */ +- return CURLE_OK; +- } +- +- /* We've parsed the header, now uncompress the data */ +- return inflate_stream(data, writer, ZLIB_GZIP_INFLATING); +-#endif + } + + static void gzip_close_writer(struct Curl_easy *data, +@@ -581,7 +365,6 @@ static const struct content_encoding gzip_encoding = { + + #endif /* HAVE_LIBZ */ + +- + #ifdef HAVE_BROTLI + /* Writer parameters. */ + struct brotli_params { +@@ -709,7 +492,6 @@ static const struct content_encoding brotli_encoding = { + }; + #endif + +- + #ifdef HAVE_ZSTD + /* Writer parameters. */ + struct zstd_params { +@@ -798,7 +580,6 @@ static const struct content_encoding zstd_encoding = { + }; + #endif + +- + /* Identity handler. */ + static CURLcode identity_init_writer(struct Curl_easy *data, + struct contenc_writer *writer) diff --git a/recipes-support/libarchive/libarchive/CVE-2025-5914_3.6.1_fix.patch b/recipes-support/libarchive/libarchive/CVE-2025-5914_3.6.1_fix.patch new file mode 100644 index 00000000..f809ae51 --- /dev/null +++ b/recipes-support/libarchive/libarchive/CVE-2025-5914_3.6.1_fix.patch @@ -0,0 +1,37 @@ +From 789cf87ef52160c605a4374a1e5beade4faec71e Mon Sep 17 00:00:00 2001 +From: skondu363 +Date: Wed, 4 Feb 2026 08:27:25 +0000 +Subject: [PATCH] +Upstream-Status: Backport + https://patchwork.yoctoproject.org/project/oe/patch/20251101210826.1359970-1-peter.marko@siemens.com/ +CVE: CVE-2025-5914 + +Signed-off-by: skondu363 +--- + libarchive/archive_read_support_format_rar.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c +index 97474b72..3c7f7b49 100644 +--- a/libarchive/archive_read_support_format_rar.c ++++ b/libarchive/archive_read_support_format_rar.c +@@ -335,8 +335,8 @@ struct rar + int found_first_header; + char has_endarc_header; + struct data_block_offsets *dbo; +- unsigned int cursor; +- unsigned int nodes; ++ size_t cursor; ++ size_t nodes; + char filename_must_match; + + /* LZSS members */ +@@ -1182,7 +1182,7 @@ archive_read_format_rar_seek_data(struct archive_read *a, int64_t offset, + int whence) + { + int64_t client_offset, ret; +- unsigned int i; ++ size_t i; + struct rar *rar = (struct rar *)(a->format->data); + + if (rar->compression_method == COMPRESS_METHOD_STORE) diff --git a/recipes-support/libarchive/libarchive_3.6.1.bbappend b/recipes-support/libarchive/libarchive_3.6.1.bbappend index 5d2907c6..cd85c3ff 100644 --- a/recipes-support/libarchive/libarchive_3.6.1.bbappend +++ b/recipes-support/libarchive/libarchive_3.6.1.bbappend @@ -4,4 +4,5 @@ SRC_URI:append = " file://CVE-2022-36227_fix.patch \ file://CVE-2024-48957_fix.patch \ file://CVE-2024-48958_fix.patch \ file://CVE-2024-26256_3.6.1_fix.patch \ + file://CVE-2025-5914_3.6.1_fix.patch \ "