From: Shubham Pushpkar <[email protected]> This patch applies the upstream fix as referenced in [2], using the commit shown in [1].
[1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219 Signed-off-by: Shubham Pushpkar <[email protected]> Signed-off-by: Yoann Congal <[email protected]> --- .../dpkg/dpkg/CVE-2026-2219.patch | 47 +++++++++++++++++++ meta/recipes-devtools/dpkg/dpkg_1.22.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch new file mode 100644 index 00000000000..779ab924de6 --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch @@ -0,0 +1,47 @@ +From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001 +From: Guillem Jover <[email protected]> +Date: Sat, 7 Feb 2026 00:57:55 +0100 +Subject: [PATCH] libdpkg: Terminate zstd decompression when we have no more + data + +We should be checking whether the input buffer is zero-sized, and then +mark the stream as finished. Otherwise the zstd implementation does not +detect that as an end of stream situation and we get stuck in an +infinite loop spinning the CPU. This means the decompression process +in dpkg-deb does not terminate, so no EPIPE gets generated and the +other processes that are part of the unpacking do not stop either. + +Reported-by: Yashashree Gund <[email protected]> +Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a +Fixes: CVE-2026-2219 +Closes: #1129722 +Stable-Candidate: 1.21.x 1.22.x + +CVE: CVE-2026-2219 +Upstream-Status: Backport [https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313] + +(cherry picked from commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313) +Signed-off-by: Shubham Pushpkar <[email protected]> +--- + lib/dpkg/compress.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c +index adf26ea7..bf73affe 100644 +--- a/lib/dpkg/compress.c ++++ b/lib/dpkg/compress.c +@@ -1070,6 +1070,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s) + ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 }; + size_t ret; + ++ if (buf_in.size == 0) { ++ s->status = DPKG_STREAM_END; ++ return; ++ } ++ + ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in); + if (ZSTD_isError(ret)) + filter_zstd_error(io, ret); +-- +2.35.6 + diff --git a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb index 41f51235085..16162ca926f 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.22.0.bb @@ -15,6 +15,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main file://pager.patch \ file://0001-Add-support-for-riscv32-CPU.patch \ file://CVE-2025-6297.patch \ + file://CVE-2026-2219.patch \ " SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239379): https://lists.openembedded.org/g/openembedded-core/message/239379 Mute This Topic: https://lists.openembedded.org/mt/119940219/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
