Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/poco: add patch for CVE-2025-6375

Browse Source 
This fixes the following vulnerability:

- CVE-2025-6375:

A vulnerability was found in poco up to 1.14.1. It has been rated as
problematic. Affected by this issue is the function MultipartInputStream
of the file Net/src/MultipartReader.cpp. The manipulation leads to null
pointer dereference. The attack needs to be approached locally. The
exploit has been disclosed to the public and may be used. Upgrading to
version 1.14.2 is able to address this issue. The patch is identified as
6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade
the affected component.

For more information see:
  - https://nvd.nist.gov//vuln/detail/CVE-2025-6375
  - 6f2f85913c

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Thomas Perale
2025-09-19 08:53:02 +02:00
committed by Julien Olivain
parent 4f0a9596e3
commit 36357247d5
2 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
package/poco/0001-fix-Net-A-SEGV-at-Net-src-MultipartReader-cpp.patch Normal file
View File

@@ -0,0 +1,34 @@
From 6f2f85913c191ab9ddfb8fae781f5d66afccf3bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Obiltschnig?= <guenter.obiltschnig@appinf.com>
Date: Wed, 16 Apr 2025 09:15:33 +0200
Subject: [PATCH] fix(Net): A SEGV at Net/src/MultipartReader.cpp:164:1 #4915
(move assertion out of ctor)
Upstream: https://github.com/pocoproject/poco/commit/6f2f85913c191ab9ddfb8fae781f5d66afccf3bf
CVE: CVE-2025-6375
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
Net/src/MultipartReader.cpp | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/Net/src/MultipartReader.cpp b/Net/src/MultipartReader.cpp
index f3a2f2bba2..f4aa27dd86 100644
--- a/Net/src/MultipartReader.cpp
+++ b/Net/src/MultipartReader.cpp
@@ -36,7 +36,6 @@ MultipartStreamBuf::MultipartStreamBuf(std::istream& istr, const std::string& bo
_boundary(boundary),
_lastPart(false)
{
- poco_assert (!boundary.empty() && boundary.length() < STREAM_BUFFER_SIZE - 6);
}
@@ -47,7 +46,7 @@ MultipartStreamBuf::~MultipartStreamBuf()
int MultipartStreamBuf::readFromDevice(char* buffer, std::streamsize length)
{
- poco_assert_dbg (length >= _boundary.length() + 6);
+ poco_assert (!_boundary.empty() && _boundary.length() < length - 6);
static const int eof = std::char_traits<char>::eof();
std::streambuf& buf = *_istr.rdbuf();

3
package/poco/poco.mk
View File

@@ -11,6 +11,9 @@ POCO_LICENSE_FILES = LICENSE
POCO_CPE_ID_VENDOR = pocoproject
POCO_INSTALL_STAGING = YES
# 0001-fix-Net-A-SEGV-at-Net-src-MultipartReader-cpp.patch
POCO_IGNORE_CVES += CVE-2025-6375
POCO_DEPENDENCIES = \
pcre2 \
zlib \