Fixes the following CVEs:
- CVE-2024-41957
- CVE-2024-41965
- CVE-2024-45306
- CVE-2024-47814
- CVE-2025-1215
- CVE-2025-22134
- CVE-2025-24014
- CVE-2025-26603
- CVE-2025-29768
- CVE-2025-53905
- CVE-2025-53906
README.txt got updated three times since the last bump:
- [0] updated some wording regarding who the developers are.
- [1] updated the link to the release archives
- [2] updated the goals of the project
netrw (the builtin file explorer of vim) changed maintainer and was
subsequently restructured [3]. Therefore we need to run installpack,
otherwise we run into this on startup (reported by Julien, thanks!):
Error detected while processing
/usr/share/vim/vim91/plugin/netrwPlugin.vim:
line 7:
E919: Directory not found in 'packpath': "pack/*/opt/netrw"
Press ENTER or type command to continue
[0]: b75825f749
[1]: 4225f28855
[2]: 2bfd1ee161
[3]: 9cfdabb074
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 089731c8ea)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since 256.12 systemd-networkd requires kernel >=5.4 due to the inclusion of
the sockios.h header, which uses the SIOCGSTAMP_OLD macro.
The same change has already been applied to master/2025.08 in
7d8d48cd2b
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following vulnerability:
- CVE-2025-46688
quickjs-ng through 0.9.0 has an incorrect size calculation in
JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow.
QuickJS before 2025-04-26 is also affected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46688
- 1eb05e44fa
The patch is different from upstream since the BigInt implementation has
been added post 2024-01-13 (see commit [1]). The BigInt fix has been
stripped out to only keep the buffer overflow in the string
implementation.
On master the following CVE has been addressed with commit [2].
[1] 61e8b94428
[2] c5c7c44fa5 package/quickjs: bump to version 2025-04-26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The each_cpe() method is careful that some CVEs have no
"configurations", but some CVEs such as
https://nvd.nist.gov/vuln/detail/CVE-2025-32915 apparently have a
"configurations" node, but no "nodes" inside the "configurations",
causing an exception:
Traceback (most recent call last):
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1382, in <module>
__main__()
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1371, in __main__
check_package_cves(args.nvd_path, packages)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 679, in check_package_cves
check_package_cve_affects(cve, cpe_product_pkgs)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 638, in check_package_cve_affects
for product in cve.affected_products:
^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in affected_products
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in <genexpr>
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 173, in each_cpe
for node in nodes['nodes']:
~~~~~^^^^^^^^^
KeyError: 'nodes'
Fixes:
54f8d97c91 ("support/scripts/pkg-stats: adapt to NVD v2 json format")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain:
- add reference to buildroot commit introducing the issue
- a similar patch was sent by Daniel Lang (thanks!)
- needed on 2025.02.x to fix "Daily results" email]
(cherry picked from commit 67422b9d9c)
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Fixes the following vulnerability:
- CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
earlier, a call to opj_jp2_read_header may lead to OOB heap memory
write when the data stream p_stream is too short and p_image is not
initialized.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-54874
- f809b80c67
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c46fb3c8b3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags
As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.
In addition to those patches, 2 extra patches are added:
0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
0074-Constant-time-grub_crypto_memcmp.patch
The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.
The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.
Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125
With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:
- The ISO9660 tests that use grub2:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563
- The grub2 tests:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
- qemu_aarch64_sbsa_defconfig
- qemu_arm_ebbr_defconfig
- qemu_loongarch64_virt_efi_defconfig
- qemu_riscv64_virt_efi_defconfig
- pc_x86_64_bios_defconfig
- pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
- fix patch #72 upstream link to point to the initial patch
sumbission rather than a reply
- merge two _IGNORE_CVES blocks for patch #50 into a single one
- order _IGNORE_CVES blocks by numerical patch order
- order numerically the CVE list in commit log
- add a "Fixes:" tag in patch #74 since its commit log does not
mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ded3e0045a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Suniel's e-mail address at Amarula Solutions is bouncing, so let's
drop this stale entry:
<sunil@amarulasolutions.com>: host aspmx.l.google.com[142.250.27.26] said:
550-5.1.1 The email account that you tried to reach does not exist. Please
try 550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. For more information, go to 550 5.1.1
https://support.google.com/mail/?p=NoSuchUser
a640c23a62f3a-afcdce6d5e1si493680166b.9 - gsmtp (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c93cf106c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The original commit (aaa2b660a9 ("setserial: convert to autotargets
and fix manpages install") wasn't entirely clear why we went for a
removal of a patch from the tarball we get from Debian.
It is assumed the original patch mainly only wanted to remove the strip
and make sure the directories are created before files are installed in
there. But doing only that made my build fail because the linker doesn't
find @CXXFLAGS@. After undoing the addition of this variable (and its
use) from 01_makefile.patch it now compiles just fine.
Therefore, instead of removing the patch from the tarball we get from
Debian, simply update the patch we carry in the tree to remove what's
necessary and simplify the patching logic.
This could also help identify notable differences between the
01_makefile.patch from two different versions whenever we upgrade.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c688a1a8a8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Debian has a newer setserial which compiles on newer toolchains, so
let's update to it.
Noteworthy is the change from a big diff to a tarball containing the
whole debian directory. The series file which contains all patches to
apply is named properly so no need to rename 00list anymore. The patches
file extension is now .patch instead of .dpatch.
This fixes the build with BR2_TOOLCHAIN_EXTERNAL_ARM_AARCH64 external
toolchain (14.2.rel1).
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 871cdeab6a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Newer toolchains silently fail during configure step. After some
investigation, it is because -Wimplicit-int is returned for one of the
simplest test from the in-package configure file and thus fail the
configure step early, when checking if the compiler can produce an
executable.
Let's fix this by simply regenerating the configure file, similarly to
what Debian is doing, c.f. debian/rules.
Fixes:
https://autobuild.buildroot.net/results/ff7a9c3c42f11a2ab71fb04ff0f6d593ac9ee327/
(but there are more build failures later, fixed in a follow-up commit)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26077c2d41)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since 64ac719952 ("apply-patches.sh: add recursivity when scanning
patchdir"), patches with the .dpatch file extension are simply ignored.
Unfortunately, setserial package stopped applying the patches after that
commit.
Sadly, 0002-tiocghayesesp-build-fix.patch is breaking the patch context
for patch 18 in the debian diff because we are currently applying
patches from within Buildroot tree before applying the ones we download
from Debian. Instead of doing some hacks, let's apply Debian patches
before Buildroot's. However, this requires a few changes. First, we need
to migrate away from the SETSERIAL_PATCH mechanism because currently
_PRE_PATCH_HOOKS runs before this is applied and _POST_PATCH_HOOKS runs
after the Buildroot patches are applied.
Instead, let's use an _EXTRA_DOWNLOADS we manually extract à-la
package/android-tools/android-tools.mk. Then in the _PRE_PATCH_HOOKS, we
apply the big diff the _EXTRA_DOWNLOADS contains so that the patches
from within can be applied afterwards.
Because the big diff still contains only patches with the *.dpatch
extensions that are not supported anymore, we need to either rename all
patches or use the 00list file that lists all patches in the order they
need to be applied. Fortunately, Buildroot already supports applying
patches with `patch` regardless of their extension if they are within
such a file. Unfortunately, it needs to be called "series", hence the
renaming.
Because patch 18 from the big diff is now applied before
0002-tiocghayesesp-build-fix.patch from Buildroot tree, the latter will
fail if left unmodified, so this commit also rebases it.
Finally, we keep the removal of 01_makefile.dpatch for now even though
it only exists because it generates a conflict with
0001-build-system-fix.patch from Buildroot tree. It'll be rebased in a
later commit though.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 534147af94)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building prboom with gcc-14 the following error appeared on the
autobuilder:
```
i_main.c: In function 'main':
i_main.c:359:10: error: assignment to 'const char * const*' from incompatible pointer type 'char **' [-Wincompatible-pointer-types]
359 | myargv = argv;
| ^
```
While this package did not receive any update for a while on the
sourceforge mirror, I backported the fix from a fork. For more
information see [1].
[1] 92d44b6383
Fixes: https://autobuild.buildroot.org/results/888/88846e3cb267b04da58bc17d92fd5dd385b65b5d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0bf3da45b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When using gcc-14 the compilation fails with the following error
message:
```
close.c: In function 'EIBClose':
close.c:38:3: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
38 | close (con->fd);
| ^~~~~
| pclose
openlocal.c: In function 'EIBSocketLocal':
openlocal.c:57:7: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
57 | close (con->fd);
| ^~~~~
| pclose
make[6]: *** [Makefile:611: close.lo] Error 1
```
This patch include <unistd.h> to include the declaration of close.
Fixes: https://autobuild.buildroot.org/results/483/483fc4584815507c3798eb972e22e51f70f52c23/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 14955941e2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Unlike glibc and uClibc, musl doesn't play tricks with transparent
unions for the second argument to bind() to accept the various sockaddr
variants, but rather just defines it as "struct sockaddr*". As GCC 14 no
longer allows arbitrary implicit pointer casts, this results in a build
error. Import the upstream patch that adds the cast.
Fixes: https://autobuild.buildroot.org/results/00b/00b42a35a80c2deb61f2cd40aedd231597bbb290
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 562eb870fe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dmidecode fails when building its Kernel 6.6.39
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the
latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686001
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 93e37c58b0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_msr_tools fails when building its Kernel 5.15.55
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the latest
LTS version (6.12.42 at the time of this commit) which includes the
fix for gcc-15. Note: the 5.15.y series does not include this fix for
the x86_64 architecture, which is why this commit switches to 6.12.y.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686294
[1] 947dbc92a2
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37bc7f99fd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dpdk fails to build its Kernel 6.6.58 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686010
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 848ffba573)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_numactl fails to build its Kernel 6.1.75 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.1.y version (6.1.148 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686336
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc0812b6eb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_wine fails to build its Kernel 6.6.27 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686766
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 20100403d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For more details on the version bump, see:
- https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=47bf2c6a3b1f49c7adc1d0389de375290461a44c
Fixes the following security issues:
- CVE-2025-1352
A vulnerability has been found in GNU elfutils 0.192 and classified as
critical. This vulnerability affects the function __libdw_thread_tail
in the library libdw_alloc.c of the component eu-readelf. The
manipulation of the argument w leads to memory corruption. The attack
can be initiated remotely. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1352
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753
- CVE-2025-1365
A vulnerability, which was classified as critical, was found in GNU
elfutils 0.192. This affects the function process_symtab of the file
readelf.c of the component eu-readelf. The manipulation of the
argument D/a leads to buffer overflow. Local access is required to
approach this attack. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1365
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=5e5c0394d82c53e97750fe7b18023e6f84157b81
- CVE-2025-1371
A vulnerability has been found in GNU elfutils 0.192 and classified as
problematic. This vulnerability affects the function
handle_dynamic_symtab of the file readelf.c of the component eu-read.
The manipulation leads to null pointer dereference. Attacking locally
is a requirement. The exploit has been disclosed to the public and may
be used. The patch is identified as
b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1371
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b38e562a4c907e08171c76b8b2def8464d5a104a
- CVE-2025-1372
A vulnerability was found in GNU elfutils 0.192. It has been declared
as critical. Affected by this vulnerability is the function
dump_data_section/print_string_section of the file readelf.c of the
component eu-readelf. The manipulation of the argument z/x leads to
buffer overflow. An attack has to be approached locally. The exploit
has been disclosed to the public and may be used. The identifier of
the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is
recommended to apply a patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1372
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db
- CVE-2025-1376
A vulnerability classified as problematic was found in GNU elfutils
0.192. This vulnerability affects the function elf_strptr in the
library /libelf/elf_strptr.c of the component eu-strip. The
manipulation leads to denial of service. It is possible to launch the
attack on the local host. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1376
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b16f441cca0a4841050e3215a9f120a6d8aea918
- CVE-2025-1377
A vulnerability, which was classified as problematic, has been found
in GNU elfutils 0.192. This issue affects the function
gelf_getsymshndx of the file strip.c of the component eu-strip. The
manipulation leads to denial of service. The attack needs to be
approached locally. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1377
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=fbf1df9ca286de3323ae541973b08449f8d03aba
Patch 0003 is now part of this release.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c7508a2324)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit b536caaec0 ("package/python-cython: bump to version
3.1.2"), python-numpy fails to build:
Error compiling Cython file:
------------------------------------------------------------
...
np.issubdtype(cov.dtype, np.complexfloating)):
raise TypeError("mean and cov must not be complex")
if size is None:
shape = []
elif isinstance(size, (int, long, np.integer)):
^
------------------------------------------------------------
numpy/random/_generator.pyx:3760:36: undeclared name not builtin: long
Backport upstream patch to fix that build failure.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cfabe800ad)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2023-2794:
A flaw was found in ofono, an Open Source Telephony on Linux. A stack
overflow bug is triggered within the decode_deliver() function during
the SMS decoding. It is assumed that the attack scenario is accessible
from a compromised modem, a malicious base station, or just SMS. There
is a bound check for this memcpy length in decode_submit(), but it was
forgotten in decode_deliver().
https://www.cve.org/CVERecord?id=CVE-2023-2794
- CVE-2024-7537:
oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono.
Authentication is not required to exploit this vulnerability. The
specific flaw exists within the processing of SMS message lists. The
issue results from the lack of proper validation of user-supplied
data, which can result in a read past the end of an allocated buffer.
An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of root. Was
ZDI-CAN-23157.
https://www.cve.org/CVERecord?id=CVE-2024-7537
- CVE-2024-7539:
oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
This vulnerability allows local attackers to execute arbitrary code on
affected installations of oFono. An attacker must first obtain the
ability to execute code on the target modem in order to exploit this
vulnerability. The specific flaw exists within the parsing of
responses from AT+CUSD commands. The issue results from the lack of
proper validation of the length of user-supplied data prior to copying
it to a stack-based buffer. An attacker can leverage this
vulnerability to execute code in the context of root. Was ZDI-
CAN-23195.
https://www.cve.org/CVERecord?id=CVE-2024-7539
- CVE-2024-7540:
oFono AT CMGL Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGL commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
https://www.cve.org/CVERecord?id=CVE-2024-7540
- CVE-2024-7541:
oFono AT CMT Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMT commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
https://www.cve.org/CVERecord?id=CVE-2024-7541
- CVE-2024-7542:
oFono AT CMGR Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGR commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
https://www.cve.org/CVERecord?id=CVE-2024-7542
Also drop local patch that is no longer applicable, since upstream now
relies on HAS_BACKTRACE as well.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
[Julien: remove .checkpackageignore entry to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 611a795cfc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Drop the timestamp from the .tar.gz to make it reproducible, similar to how
it is done in support/download/helpers.
Notice: .xz files do not contain a timestamp
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 802d093060)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
