This patch applies the upstream fix as referenced in [1], using the commit shown in [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-42250 [2] https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Signed-off-by: Jaipaul Cheernam <[email protected]> --- .../bzip2/bzip2/CVE-2026-42250.patch | 35 +++++++++++++++++++ meta/recipes-extended/bzip2/bzip2_1.0.8.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-extended/bzip2/bzip2/CVE-2026-42250.patch diff --git a/meta/recipes-extended/bzip2/bzip2/CVE-2026-42250.patch b/meta/recipes-extended/bzip2/bzip2/CVE-2026-42250.patch new file mode 100644 index 0000000000..1679e74447 --- /dev/null +++ b/meta/recipes-extended/bzip2/bzip2/CVE-2026-42250.patch @@ -0,0 +1,35 @@ +From 71bf61d2e664c754ae5b1eb04018c8eaf5f99ae3 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard <[email protected]> +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: [PATCH] bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. + +CVE: CVE-2026-42250 +Upstream-Status: Backport [https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67] +Signed-off-by: Jaipaul Cheernam <[email protected]> +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bzip2recover.c b/bzip2recover.c +index a8131e0..4b1c219 100644 +--- a/bzip2recover.c ++++ b/bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb index f922490868..b661bc9546 100644 --- a/meta/recipes-extended/bzip2/bzip2_1.0.8.bb +++ b/meta/recipes-extended/bzip2/bzip2_1.0.8.bb @@ -26,6 +26,7 @@ SRC_URI = "https://sourceware.org/pub/${BPN}/${BPN}-${PV}.tar.gz \ file://configure.ac;subdir=${BP} \ file://Makefile.am;subdir=${BP} \ file://run-ptest \ + file://CVE-2026-42250.patch;subdir=${BP} \ " SRC_URI[md5sum] = "67e051268d0c475ea773822f7500d0e5" SRC_URI[sha256sum] = "ab5a03176ee106d3f0fa90e381da478ddae405918153cca248e682cd0c4a2269"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240619): https://lists.openembedded.org/g/openembedded-core/message/240619 Mute This Topic: https://lists.openembedded.org/mt/120203541/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
