coreutils: fix CVE-2025-5278

Backport patch to fix CVE-2025-5278. (From OE-Core rev: 239cadfd4642e7f7ad4c76df2eb70f16021c3164) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Chen Qi <Qi.Chen@windriver.com> 2025-07-28 14:10:32 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 09:12:23 -0700
commit: 762f845d3d1423e7a865c4d2eacb67fd1dc59bf0 (patch)
tree: 47f58fe91cd4de2867e9c612bcb601e5108dc79a
parent: b9ef51c44e64c0e56d9edd258e9b8642937cf35d (diff)
download: poky-762f845d3d1423e7a865c4d2eacb67fd1dc59bf0.tar.gz
2 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
new file mode 100644
index 0000000000..41be1635b5
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
@@ -0,0 +1,112 @@
+From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: [PATCH] sort: fix buffer under-read (CWE-127)
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+* NEWS: Mention bug fix introduced in v7.2 (2009).
+Fixes https://bugs.gnu.org/78507
+CVE: CVE-2025-5278
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/sort/sort-field-limit.sh
+diff --git a/src/sort.c b/src/sort.c
+index b10183b6f..7af1a2512 100644
+--- a/src/sort.c
+++ b/src/sort.c
+@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
+  size_t remaining_bytes = lim - ptr;
+  if (schar < remaining_bytes)
+    ptr += schar;
+  else
+    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
+      size_t remaining_bytes = lim - ptr;
+      if (echar < remaining_bytes)
+        ptr += echar;
+      else
+        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index 4da6756ac..642d225fa 100644
+--- a/tests/local.mk
+++ b/tests/local.mk
+@@ -388,6 +388,7 @@ all_tests =                                 \
+   tests/sort/sort-debug-keys.sh                        \
+   tests/sort/sort-debug-warn.sh                        \
+   tests/sort/sort-discrim.sh                   \
+  tests/sort/sort-field-limit.sh               \
+   tests/sort/sort-files0-from.pl               \
+   tests/sort/sort-float.sh                     \
+   tests/sort/sort-h-thousands-sep.sh           \
+diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
+new file mode 100755
+index 000000000..52d8e1d17
+--- /dev/null
+++ b/tests/sort/sort-field-limit.sh
+@@ -0,0 +1,35 @@
+#!/bin/sh
+# From 7.2-9.7, this would trigger an out of bounds mem read
+
+# Copyright (C) 2025 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ sort
+getlimits_
+
+# This issue triggers with valgrind or ASAN
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
+  VALGRIND='valgrind --error-exitcode=1'
+
+{ printf '%s\n' aa bb; } > in || framework_failure_
+
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+Exit $fail
+-- 
+2.34.1
diff --git a/meta/recipes-core/coreutils/coreutils_9.6.bb b/meta/recipes-core/coreutils/coreutils_9.6.bb
index b876a8fdd0..34c6246ed3 100644
--- a/meta/recipes-core/coreutils/coreutils_9.6.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
           file://intermittent-testfailure.patch \
           file://0001-ls-fix-crash-with-context.patch \
           file://0001-cksum-port-to-32-bit-uint_fast32_t.patch \
+           file://CVE-2025-5278.patch \
           file://run-ptest \
           "
 SRC_URI[sha256sum] = "7a0124327b398fd9eb1a6abde583389821422c744ffa10734b24f557610d3283"
author	Chen Qi <Qi.Chen@windriver.com>	2025-07-28 14:10:32 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 09:12:23 -0700
commit	762f845d3d1423e7a865c4d2eacb67fd1dc59bf0 (patch)
tree	47f58fe91cd4de2867e9c612bcb601e5108dc79a
parent	b9ef51c44e64c0e56d9edd258e9b8642937cf35d (diff)
download	poky-762f845d3d1423e7a865c4d2eacb67fd1dc59bf0.tar.gz

diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch new file mode 100644 index 0000000000..41be1635b5 --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
@@ -0,0 +1,112 @@
		1	From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
		3	Date: Tue, 20 May 2025 16:03:44 +0100
		4	Subject: [PATCH] sort: fix buffer under-read (CWE-127)
		5
		6	* src/sort.c (begfield): Check pointer adjustment
		7	to avoid Out-of-range pointer offset (CWE-823).
		8	(limfield): Likewise.
		9	* tests/sort/sort-field-limit.sh: Add a new test,
		10	which triggers with ASAN or Valgrind.
		11	* tests/local.mk: Reference the new test.
		12	* NEWS: Mention bug fix introduced in v7.2 (2009).
		13	Fixes https://bugs.gnu.org/78507
		14
		15	CVE: CVE-2025-5278
		16
		17	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
		18
		19	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		20	---
		21	src/sort.c \| 12 ++++++++++--
		22	tests/local.mk \| 1 +
		23	tests/sort/sort-field-limit.sh \| 35 ++++++++++++++++++++++++++++++++++
		24	3 files changed, 46 insertions(+), 2 deletions(-)
		25	create mode 100755 tests/sort/sort-field-limit.sh
		26
		27	diff --git a/src/sort.c b/src/sort.c
		28	index b10183b6f..7af1a2512 100644
		29	--- a/src/sort.c
		30	+++ b/src/sort.c
		31	@@ -1644,7 +1644,11 @@ begfield (struct line const line, struct keyfield const key)
		32	++ptr;
		33
		34	/* Advance PTR by SCHAR (if possible), but no further than LIM. */
		35	- ptr = MIN (lim, ptr + schar);
		36	+ size_t remaining_bytes = lim - ptr;
		37	+ if (schar < remaining_bytes)
		38	+ ptr += schar;
		39	+ else
		40	+ ptr = lim;
		41
		42	return ptr;
		43	}
		44	@@ -1746,7 +1750,11 @@ limfield (struct line const line, struct keyfield const key)
		45	++ptr;
		46
		47	/* Advance PTR by ECHAR (if possible), but no further than LIM. */
		48	- ptr = MIN (lim, ptr + echar);
		49	+ size_t remaining_bytes = lim - ptr;
		50	+ if (echar < remaining_bytes)
		51	+ ptr += echar;
		52	+ else
		53	+ ptr = lim;
		54	}
		55
		56	return ptr;
		57	diff --git a/tests/local.mk b/tests/local.mk
		58	index 4da6756ac..642d225fa 100644
		59	--- a/tests/local.mk
		60	+++ b/tests/local.mk
		61	@@ -388,6 +388,7 @@ all_tests = \
		62	tests/sort/sort-debug-keys.sh \
		63	tests/sort/sort-debug-warn.sh \
		64	tests/sort/sort-discrim.sh \
		65	+ tests/sort/sort-field-limit.sh \
		66	tests/sort/sort-files0-from.pl \
		67	tests/sort/sort-float.sh \
		68	tests/sort/sort-h-thousands-sep.sh \
		69	diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
		70	new file mode 100755
		71	index 000000000..52d8e1d17
		72	--- /dev/null
		73	+++ b/tests/sort/sort-field-limit.sh
		74	@@ -0,0 +1,35 @@
		75	+#!/bin/sh
		76	+# From 7.2-9.7, this would trigger an out of bounds mem read
		77	+
		78	+# Copyright (C) 2025 Free Software Foundation, Inc.
		79	+
		80	+# This program is free software: you can redistribute it and/or modify
		81	+# it under the terms of the GNU General Public License as published by
		82	+# the Free Software Foundation, either version 3 of the License, or
		83	+# (at your option) any later version.
		84	+
		85	+# This program is distributed in the hope that it will be useful,
		86	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
		87	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		88	+# GNU General Public License for more details.
		89	+
		90	+# You should have received a copy of the GNU General Public License
		91	+# along with this program. If not, see <https://www.gnu.org/licenses/>.
		92	+
		93	+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
		94	+print_ver_ sort
		95	+getlimits_
		96	+
		97	+# This issue triggers with valgrind or ASAN
		98	+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
		99	+ VALGRIND='valgrind --error-exitcode=1'
		100	+
		101	+{ printf '%s\n' aa bb; } > in \|\| framework_failure_
		102	+
		103	+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out \|\| fail=1
		104	+compare in out \|\| fail=1
		105	+
		106	+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out \|\| fail=1
		107	+compare in out \|\| fail=1
		108	+
		109	+Exit $fail
		110	--
		111	2.34.1
		112


diff --git a/meta/recipes-core/coreutils/coreutils_9.6.bb b/meta/recipes-core/coreutils/coreutils_9.6.bb index b876a8fdd0..34c6246ed3 100644 --- a/meta/recipes-core/coreutils/coreutils_9.6.bb +++ b/meta/recipes-core/coreutils/coreutils_9.6.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
19	file://intermittent-testfailure.patch \	19	file://intermittent-testfailure.patch \
20	file://0001-ls-fix-crash-with-context.patch \	20	file://0001-ls-fix-crash-with-context.patch \
21	file://0001-cksum-port-to-32-bit-uint_fast32_t.patch \	21	file://0001-cksum-port-to-32-bit-uint_fast32_t.patch \
		22	file://CVE-2025-5278.patch \
22	file://run-ptest \	23	file://run-ptest \
23	"	24	"
24	SRC_URI[sha256sum] = "7a0124327b398fd9eb1a6abde583389821422c744ffa10734b24f557610d3283"	25	SRC_URI[sha256sum] = "7a0124327b398fd9eb1a6abde583389821422c744ffa10734b24f557610d3283"