wxwidgets: fix CVE-2024-58249

CVE-2024-58249: In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-58249] Upstream patches: [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-07-24 17:23:42 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-09-06 16:15:45 +0200
commit: d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4 (patch)
tree: 057bdb5349135e6dffb00ab82f57ed452eb15146
parent: d35cbff11e73778dbd186e1a7c84b81aa9819ae4 (diff)
download: meta-openembedded-d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4.tar.gz
2 files changed, 179 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
new file mode 100644
index 0000000000..8ba9cc1b04
--- /dev/null
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
@@ -0,0 +1,178 @@
+From e440b3a6097546a8aca66bd4c7a21be25e89d340 Mon Sep 17 00:00:00 2001
+From: Vadim Zeitlin <vadim@wxwidgets.org>
+Date: Sun, 27 Oct 2024 00:56:21 +0200
+Subject: [PATCH] Fix crash when connection is refused in wxWebRequestCURL
+Avoid deleting wxEventLoopSourceHandler which may be still in use, as is
+the case when we get write IO notification just before an error one: if
+we delete the handler while handling the former, we crash when getting
+the latter one.
+Use a hack to avoid deleting the handlers for which write notification
+is being processed and delete them later, when we get the error one.
+See #24885.
+(cherry picked from commit 4e0fca8ab9756989598d07b41e672af86eac7092)
+CVE: CVE-2024-58249
+Upstream-Status: Backport [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/common/webrequest_curl.cpp | 80 +++++++++++++++++++++++++---------
+ 1 file changed, 60 insertions(+), 20 deletions(-)
+diff --git a/src/common/webrequest_curl.cpp b/src/common/webrequest_curl.cpp
+index f50acf4f8d..64650ab6b4 100644
+--- a/src/common/webrequest_curl.cpp
+++ b/src/common/webrequest_curl.cpp
+@@ -704,10 +704,13 @@ SocketPollerImpl* SocketPollerImpl::Create(wxEvtHandler* hndlr)
+ 
+ // SocketPollerSourceHandler - a source handler used by the SocketPoller class.
+ 
+class SourceSocketPoller;
+
+ class SocketPollerSourceHandler: public wxEventLoopSourceHandler
+ {
+ public:
+-    SocketPollerSourceHandler(curl_socket_t, wxEvtHandler*);
+    SocketPollerSourceHandler(curl_socket_t sock, SourceSocketPoller* poller)
+        : m_socket(sock), m_poller(poller) {}
+ 
+     void OnReadWaiting() wxOVERRIDE;
+     void OnWriteWaiting() wxOVERRIDE;
+@@ -716,16 +719,9 @@ public:
+ private:
+     void SendEvent(int);
+     curl_socket_t m_socket;
+-    wxEvtHandler* m_handler;
+    SourceSocketPoller* const m_poller;
+ };
+ 
+-SocketPollerSourceHandler::SocketPollerSourceHandler(curl_socket_t sock,
+-                                                     wxEvtHandler* hndlr)
+-{
+-    m_socket = sock;
+-    m_handler = hndlr;
+-}
+-
+ void SocketPollerSourceHandler::OnReadWaiting()
+ {
+     SendEvent(SocketPoller::READY_FOR_READ);
+@@ -741,14 +737,6 @@ void SocketPollerSourceHandler::OnExceptionWaiting()
+     SendEvent(SocketPoller::HAS_ERROR);
+ }
+ 
+-void SocketPollerSourceHandler::SendEvent(int result)
+-{
+-    wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
+-    event.SetPayload<curl_socket_t>(m_socket);
+-    event.SetInt(result);
+-    m_handler->ProcessEvent(event);
+-}
+-
+ // SourceSocketPoller - a SocketPollerImpl based on event loop sources.
+ 
+ class SourceSocketPoller: public SocketPollerImpl
+@@ -760,6 +748,8 @@ public:
+     void StopPolling(curl_socket_t) wxOVERRIDE;
+     void ResumePolling(curl_socket_t) wxOVERRIDE;
+ 
+    void SendEvent(curl_socket_t sock, int result);
+
+ private:
+     WX_DECLARE_HASH_MAP(curl_socket_t, wxEventLoopSource*, wxIntegerHash,\
+                         wxIntegerEqual, SocketDataMap);
+@@ -768,11 +758,25 @@ private:
+ 
+     SocketDataMap m_socketData;
+     wxEvtHandler* m_handler;
+
+    // The socket for which we're currently processing a write IO notification.
+    curl_socket_t m_activeWriteSocket;
+
+    // The sockets that we couldn't clean up yet but should do if/when we get
+    // an error notification for them.
+    wxVector<curl_socket_t> m_socketsToCleanUp;
+ };
+ 
+// This function must be implemented after full SourceSocketPoller declaration.
+void SocketPollerSourceHandler::SendEvent(int result)
+{
+    m_poller->SendEvent(m_socket, result);
+}
+
+ SourceSocketPoller::SourceSocketPoller(wxEvtHandler* hndlr)
+ {
+     m_handler = hndlr;
+    m_activeWriteSocket = 0;
+ }
+ 
+ SourceSocketPoller::~SourceSocketPoller()
+@@ -822,9 +826,7 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
+     }
+     else
+     {
+-        // Otherwise create a new source handler.
+-        srcHandler =
+-            new SocketPollerSourceHandler(sock, m_handler);
+        srcHandler = new SocketPollerSourceHandler(sock, this);
+     }
+ 
+     // Get a new source object for these polling checks.
+@@ -858,6 +860,15 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
+ 
+ void SourceSocketPoller::StopPolling(curl_socket_t sock)
+ {
+    if ( sock == m_activeWriteSocket )
+    {
+        // We can't clean up the socket while we're inside OnWriteWaiting() for
+        // it because it could be followed by OnExceptionWaiting() and we'd
+        // crash if we deleted it already.
+        m_socketsToCleanUp.push_back(sock);
+        return;
+    }
+
+     SocketDataMap::iterator it = m_socketData.find(sock);
+ 
+     if ( it != m_socketData.end() )
+@@ -871,6 +882,35 @@ void SourceSocketPoller::ResumePolling(curl_socket_t WXUNUSED(sock))
+ {
+ }
+ 
+void SourceSocketPoller::SendEvent(curl_socket_t sock, int result)
+{
+    if ( result == SocketPoller::READY_FOR_WRITE )
+    {
+        // Prevent the handler from this socket from being deleted in case we
+        // get a HAS_ERROR event for it immediately after this one.
+        m_activeWriteSocket = sock;
+    }
+
+    wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
+    event.SetPayload<curl_socket_t>(sock);
+    event.SetInt(result);
+    m_handler->ProcessEvent(event);
+
+    m_activeWriteSocket = 0;
+
+    if ( result == SocketPoller::HAS_ERROR )
+    {
+        // Check if we have any sockets to clean up and do it now, it should be
+        // safe.
+        for ( size_t n = 0; n < m_socketsToCleanUp.size(); ++n )
+        {
+            StopPolling(m_socketsToCleanUp[n]);
+        }
+
+        m_socketsToCleanUp.clear();
+    }
+}
+
+ void SourceSocketPoller::CleanUpSocketSource(wxEventLoopSource* source)
+ {
+     wxEventLoopSourceHandler* srcHandler = source->GetHandler();
+-- 
+2.50.0
diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
index 71e2a60e0c..1cf44bbfa3 100644
--- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
+++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https
           file://0005-wx-config-fix-libdir-for-multilib.patch \
           file://0006-Fix-locale-on-musl.patch \
           file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \
+           file://CVE-2024-58249.patch \
           "
 SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a"
 S = "${WORKDIR}/git"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-07-24 17:23:42 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-06 16:15:45 +0200
commit	d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4 (patch)
tree	057bdb5349135e6dffb00ab82f57ed452eb15146
parent	d35cbff11e73778dbd186e1a7c84b81aa9819ae4 (diff)
download	meta-openembedded-d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4.tar.gz

diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch new file mode 100644 index 0000000000..8ba9cc1b04 --- /dev/null +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
@@ -0,0 +1,178 @@
		1	From e440b3a6097546a8aca66bd4c7a21be25e89d340 Mon Sep 17 00:00:00 2001
		2	From: Vadim Zeitlin <vadim@wxwidgets.org>
		3	Date: Sun, 27 Oct 2024 00:56:21 +0200
		4	Subject: [PATCH] Fix crash when connection is refused in wxWebRequestCURL
		5
		6	Avoid deleting wxEventLoopSourceHandler which may be still in use, as is
		7	the case when we get write IO notification just before an error one: if
		8	we delete the handler while handling the former, we crash when getting
		9	the latter one.
		10
		11	Use a hack to avoid deleting the handlers for which write notification
		12	is being processed and delete them later, when we get the error one.
		13
		14	See #24885.
		15
		16	(cherry picked from commit 4e0fca8ab9756989598d07b41e672af86eac7092)
		17
		18	CVE: CVE-2024-58249
		19	Upstream-Status: Backport [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d]
		20
		21	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		22	---
		23	src/common/webrequest_curl.cpp \| 80 +++++++++++++++++++++++++---------
		24	1 file changed, 60 insertions(+), 20 deletions(-)
		25
		26	diff --git a/src/common/webrequest_curl.cpp b/src/common/webrequest_curl.cpp
		27	index f50acf4f8d..64650ab6b4 100644
		28	--- a/src/common/webrequest_curl.cpp
		29	+++ b/src/common/webrequest_curl.cpp
		30	@@ -704,10 +704,13 @@ SocketPollerImpl* SocketPollerImpl::Create(wxEvtHandler* hndlr)
		31
		32	// SocketPollerSourceHandler - a source handler used by the SocketPoller class.
		33
		34	+class SourceSocketPoller;
		35	+
		36	class SocketPollerSourceHandler: public wxEventLoopSourceHandler
		37	{
		38	public:
		39	- SocketPollerSourceHandler(curl_socket_t, wxEvtHandler*);
		40	+ SocketPollerSourceHandler(curl_socket_t sock, SourceSocketPoller* poller)
		41	+ : m_socket(sock), m_poller(poller) {}
		42
		43	void OnReadWaiting() wxOVERRIDE;
		44	void OnWriteWaiting() wxOVERRIDE;
		45	@@ -716,16 +719,9 @@ public:
		46	private:
		47	void SendEvent(int);
		48	curl_socket_t m_socket;
		49	- wxEvtHandler* m_handler;
		50	+ SourceSocketPoller* const m_poller;
		51	};
		52
		53	-SocketPollerSourceHandler::SocketPollerSourceHandler(curl_socket_t sock,
		54	- wxEvtHandler* hndlr)
		55	-{
		56	- m_socket = sock;
		57	- m_handler = hndlr;
		58	-}
		59	-
		60	void SocketPollerSourceHandler::OnReadWaiting()
		61	{
		62	SendEvent(SocketPoller::READY_FOR_READ);
		63	@@ -741,14 +737,6 @@ void SocketPollerSourceHandler::OnExceptionWaiting()
		64	SendEvent(SocketPoller::HAS_ERROR);
		65	}
		66
		67	-void SocketPollerSourceHandler::SendEvent(int result)
		68	-{
		69	- wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
		70	- event.SetPayload<curl_socket_t>(m_socket);
		71	- event.SetInt(result);
		72	- m_handler->ProcessEvent(event);
		73	-}
		74	-
		75	// SourceSocketPoller - a SocketPollerImpl based on event loop sources.
		76
		77	class SourceSocketPoller: public SocketPollerImpl
		78	@@ -760,6 +748,8 @@ public:
		79	void StopPolling(curl_socket_t) wxOVERRIDE;
		80	void ResumePolling(curl_socket_t) wxOVERRIDE;
		81
		82	+ void SendEvent(curl_socket_t sock, int result);
		83	+
		84	private:
		85	WX_DECLARE_HASH_MAP(curl_socket_t, wxEventLoopSource*, wxIntegerHash,\
		86	wxIntegerEqual, SocketDataMap);
		87	@@ -768,11 +758,25 @@ private:
		88
		89	SocketDataMap m_socketData;
		90	wxEvtHandler* m_handler;
		91	+
		92	+ // The socket for which we're currently processing a write IO notification.
		93	+ curl_socket_t m_activeWriteSocket;
		94	+
		95	+ // The sockets that we couldn't clean up yet but should do if/when we get
		96	+ // an error notification for them.
		97	+ wxVector<curl_socket_t> m_socketsToCleanUp;
		98	};
		99
		100	+// This function must be implemented after full SourceSocketPoller declaration.
		101	+void SocketPollerSourceHandler::SendEvent(int result)
		102	+{
		103	+ m_poller->SendEvent(m_socket, result);
		104	+}
		105	+
		106	SourceSocketPoller::SourceSocketPoller(wxEvtHandler* hndlr)
		107	{
		108	m_handler = hndlr;
		109	+ m_activeWriteSocket = 0;
		110	}
		111
		112	SourceSocketPoller::~SourceSocketPoller()
		113	@@ -822,9 +826,7 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
		114	}
		115	else
		116	{
		117	- // Otherwise create a new source handler.
		118	- srcHandler =
		119	- new SocketPollerSourceHandler(sock, m_handler);
		120	+ srcHandler = new SocketPollerSourceHandler(sock, this);
		121	}
		122
		123	// Get a new source object for these polling checks.
		124	@@ -858,6 +860,15 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction)
		125
		126	void SourceSocketPoller::StopPolling(curl_socket_t sock)
		127	{
		128	+ if ( sock == m_activeWriteSocket )
		129	+ {
		130	+ // We can't clean up the socket while we're inside OnWriteWaiting() for
		131	+ // it because it could be followed by OnExceptionWaiting() and we'd
		132	+ // crash if we deleted it already.
		133	+ m_socketsToCleanUp.push_back(sock);
		134	+ return;
		135	+ }
		136	+
		137	SocketDataMap::iterator it = m_socketData.find(sock);
		138
		139	if ( it != m_socketData.end() )
		140	@@ -871,6 +882,35 @@ void SourceSocketPoller::ResumePolling(curl_socket_t WXUNUSED(sock))
		141	{
		142	}
		143
		144	+void SourceSocketPoller::SendEvent(curl_socket_t sock, int result)
		145	+{
		146	+ if ( result == SocketPoller::READY_FOR_WRITE )
		147	+ {
		148	+ // Prevent the handler from this socket from being deleted in case we
		149	+ // get a HAS_ERROR event for it immediately after this one.
		150	+ m_activeWriteSocket = sock;
		151	+ }
		152	+
		153	+ wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT);
		154	+ event.SetPayload<curl_socket_t>(sock);
		155	+ event.SetInt(result);
		156	+ m_handler->ProcessEvent(event);
		157	+
		158	+ m_activeWriteSocket = 0;
		159	+
		160	+ if ( result == SocketPoller::HAS_ERROR )
		161	+ {
		162	+ // Check if we have any sockets to clean up and do it now, it should be
		163	+ // safe.
		164	+ for ( size_t n = 0; n < m_socketsToCleanUp.size(); ++n )
		165	+ {
		166	+ StopPolling(m_socketsToCleanUp[n]);
		167	+ }
		168	+
		169	+ m_socketsToCleanUp.clear();
		170	+ }
		171	+}
		172	+
		173	void SourceSocketPoller::CleanUpSocketSource(wxEventLoopSource* source)
		174	{
		175	wxEventLoopSourceHandler* srcHandler = source->GetHandler();
		176	--
		177	2.50.0
		178


diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb index 71e2a60e0c..1cf44bbfa3 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb
@@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https
26	file://0005-wx-config-fix-libdir-for-multilib.patch \	26	file://0005-wx-config-fix-libdir-for-multilib.patch \
27	file://0006-Fix-locale-on-musl.patch \	27	file://0006-Fix-locale-on-musl.patch \
28	file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \	28	file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \
		29	file://CVE-2024-58249.patch \
29	"	30	"
30	SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a"	31	SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a"
31	S = "${WORKDIR}/git"	32	S = "${WORKDIR}/git"