From: Adarsh Jagadish Kamini <[email protected]> Backport patch to fix CVE-2026-9150. https://nvd.nist.gov/vuln/detail/CVE-2026-9150
Upstream fix: https://github.com/openSUSE/libsolv/pull/616 Signed-off-by: Adarsh Jagadish Kamini <[email protected]> --- .../libsolv/libsolv/CVE-2026-9150.patch | 68 +++++++++++++++++++ .../libsolv/libsolv_0.7.28.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch diff --git a/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch new file mode 100644 index 0000000000..4903edb599 --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/CVE-2026-9150.patch @@ -0,0 +1,68 @@ +From bea261fd0924ecd5c7e5579f460133ec023c6def Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Wed, 22 Apr 2026 09:18:29 +0200 +Subject: [PATCH] Fix a buffer overflow when copying SHA-384/512 checksum from + a Debian repository + +When parsing Debian repository, control2solvable() copies a package +checksum string from the repository into a stack-allocated "char +checksum[32 * 2 + 1]" array. + +If the repository defined a SHA384 or SHA512 tag, a buffer overflow +occured (as can be seen when compiling libsolv with CFLAGS='-O0 -g +-fsanitize=address') because those tag values are longer: + + $ cat /tmp/Packages + Package: p + Version: 1 + Architecture: all + SHA512: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + + $ /tmp/b/tools/deb2solv -r /tmp/Packages + ================================================================= + ==3695==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7b685ecf0071 at pc 0x7f6861683722 b + p 0x7fff37e3e7a0 sp 0x7fff37e3df60 + WRITE of size 129 at 0x7b685ecf0071 thread T0 + #0 0x7f6861683721 in strcpy.part.0 (/lib64/libasan.so.8+0x83721) (BuildId: 80bfc4ae44fdec6ef5fecfb01e2b57d28660991c) + #1 0x7f6861d7f34d in control2solvable /home/test/libsolv/ext/repo_deb.c:491 + #2 0x7f6861d804ea in repo_add_debpackages /home/test/libsolv/ext/repo_deb.c:622 + #3 0x000000400fd5 in main /home/test/libsolv/tools/deb2solv.c:134 + #4 0x7f686123c680 in __libc_start_call_main (/lib64/libc.so.6+0x3680) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #5 0x7f686123c797 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3797) (BuildId: c04494d63bca865bedf571a4075ef8867ccf9fa9) + #6 0x000000400694 in _start (/tmp/b/tools/deb2solv+0x400694) (BuildId: a3350337819a51edd0c75293970d3458b5033bc9) + + Address 0x7b685ecf0071 is located in stack of thread T0 at offset 113 in frame + #0 0x7f6861d7de2a in control2solvable /home/test/libsolv/ext/repo_deb.c:365 + + This frame has 1 object(s): + [48, 113) 'checksum' (line 371) <== Memory access at offset 113 overflows this variable + +This patch fixes it by enlarging the buffer to accomodate the longest +supported digest string. + +This flaw was introduced with c8164bfecf2ba8bcf4c24329534d3104f19da73c +commit ("[ABI BREAKAGE] add support for SHA224/384/512"). + +Reported by Aisle Research. + +CVE: CVE-2026-9150 +Upstream-Status: Backport [https://github.com/openSUSE/libsolv/commit/c5b5db52aebde00bdeacecf4d0569c217ab3187d] + +Signed-off-by: Adarsh Jagadish Kamini <[email protected]> +--- + ext/repo_deb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/repo_deb.c b/ext/repo_deb.c +index d400f959..25eaf8cb 100644 +--- a/ext/repo_deb.c ++++ b/ext/repo_deb.c +@@ -368,7 +368,7 @@ control2solvable(Solvable *s, Repodata *data, char *control) + char *p, *q, *end, *tag; + int x, l; + int havesource = 0; +- char checksum[32 * 2 + 1]; ++ char checksum[64 * 2 + 1]; + Id checksumtype = 0; + Id newtype; + diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb index 201059323a..63534dce26 100644 --- a/meta/recipes-extended/libsolv/libsolv_0.7.28.bb +++ b/meta/recipes-extended/libsolv/libsolv_0.7.28.bb @@ -10,6 +10,7 @@ DEPENDS = "expat zlib zstd" SRC_URI = "git://github.com/openSUSE/libsolv.git;branch=master;protocol=https \ file://0001-utils-Conside-musl-when-wrapping-qsort_r.patch \ + file://CVE-2026-9150.patch \ " SRCREV = "c8dbb3a77c86600ce09d4f80a504cf4e78a3c359" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238232): https://lists.openembedded.org/g/openembedded-core/message/238232 Mute This Topic: https://lists.openembedded.org/mt/119704401/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
