Details: https://nvd.nist.gov/vuln/detail/CVE-2021-33464
The patch was taken from Debian: https://sources.debian.org/patches/yasm/1.3.0-8/1010-nasm-pp-no-env-CVE-2021-33464.patch/ Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../yasm/yasm/CVE-2021-33464.patch | 34 +++++++++++++++++++ meta-oe/recipes-devtools/yasm/yasm_git.bb | 1 + 2 files changed, 35 insertions(+) create mode 100644 meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch diff --git a/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch new file mode 100644 index 0000000000..ebae250ff9 --- /dev/null +++ b/meta-oe/recipes-devtools/yasm/yasm/CVE-2021-33464.patch @@ -0,0 +1,34 @@ +From 3c3f968d48d768c1e355199d4067d99cb72abc26 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Sat, 15 Nov 2025 13:30:12 +0100 +Subject: [PATCH] Handle file descriptors with nonexisting env names better. + Avoid writing past allocated memory. + +This fixes CVE-2021-33464. +Author: Petter Reinholdtsen <[email protected]> +Bug: https://github.com/yasm/yasm/issues/164 +Bug-Debian: https://bugs.debian.org/1016353 +Forwarded: https://github.com/yasm/yasm/issues/164 +Last-Update: 2025-04-30 + +CVE: CVE-2021-33464 +Upstream-Status: Submitted [https://github.com/yasm/yasm/issues/164] + +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + modules/preprocs/nasm/nasm-pp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/preprocs/nasm/nasm-pp.c b/modules/preprocs/nasm/nasm-pp.c +index 512f02c3..f9f92dd1 100644 +--- a/modules/preprocs/nasm/nasm-pp.c ++++ b/modules/preprocs/nasm/nasm-pp.c +@@ -1815,7 +1815,7 @@ inc_fopen(char *file, char **newname) + error(ERR_WARNING, "environment variable `%s' does not exist", + p1+1); + *p2 = '%'; +- p1 = p2+1; ++ pb = p1 = p2+1; + continue; + } + /* need to expand */ diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 4fb1aa3552..9bd81c1dfd 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \ file://0002-yasm-Use-BUILD_DATE-for-reproducibility.patch \ file://0001-bitvect-fix-build-with-gcc-15.patch \ file://CVE-2023-29579.patch \ + file://CVE-2021-33464.patch \ "
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121740): https://lists.openembedded.org/g/openembedded-devel/message/121740 Mute This Topic: https://lists.openembedded.org/mt/116311375/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
