icu: fix CVE-2025-5222

CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-5222 https://unicode-org.atlassian.net/browse/ICU-22957 https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77 (From OE-Core rev: 674a3780bb76f4c8adf92d4f91cc9146d32787aa) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Changqing Li <changqing.li@windriver.com> 2025-07-07 17:12:00 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-07-17 13:57:58 -0700
commit: 9613e1167e2d06e65f21f6e59719d4008904cb21 (patch)
tree: 66c0a18f7e83909bf0eb1bb8bb2d48cf9bd2fa14
parent: 41038342a471b4a8884548568ad147a1704253a3 (diff)
download: poky-9613e1167e2d06e65f21f6e59719d4008904cb21.tar.gz
2 files changed, 167 insertions, 0 deletions
diff --git a/meta/recipes-support/icu/icu/CVE-2025-5222.patch b/meta/recipes-support/icu/icu/CVE-2025-5222.patch
new file mode 100644
index 0000000000..276d9e4f90
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2025-5222.patch
@@ -0,0 +1,166 @@
+From b5fd1ccf1068140ca9333878f2172a0947986ca8 Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Wed, 22 Jan 2025 11:50:59 -0800
+Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString
+CVE: CVE-2025-5222
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tools/genrb/parse.cpp | 49 +++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 20 deletions(-)
+diff --git a/tools/genrb/parse.cpp b/tools/genrb/parse.cpp
+index f487241..eb85d51 100644
+--- a/tools/genrb/parse.cpp
+++ b/tools/genrb/parse.cpp
+@@ -1153,7 +1153,7 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+     struct UString    *tokenValue;
+     struct UString     comment;
+     enum   ETokenType  token;
+-    char               subtag[1024];
+    CharString         subtag;
+     UnicodeString      rules;
+     UBool              haveRules = false;
+     UVersionInfo       version;
+@@ -1189,15 +1189,15 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+             return nullptr;
+         }
+ 
+-        u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+-
+        subtag.clear();
+        subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+         if (U_FAILURE(*status))
+         {
+             res_close(result);
+             return nullptr;
+         }
+ 
+-        member = parseResource(state, subtag, nullptr, status);
+        member = parseResource(state, subtag.data(), nullptr, status);
+ 
+         if (U_FAILURE(*status))
+         {
+@@ -1208,7 +1208,7 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+         {
+             // Ignore the parsed resources, continue parsing.
+         }
+-        else if (uprv_strcmp(subtag, "Version") == 0 && member->isString())
+        else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString())
+         {
+             StringResource *sr = static_cast<StringResource *>(member);
+             char     ver[40];
+@@ -1225,11 +1225,11 @@ addCollation(ParseState* state, TableResource  *result, const char *collationTyp
+             result->add(member, line, *status);
+             member = nullptr;
+         }
+-        else if(uprv_strcmp(subtag, "%%CollationBin")==0)
+        else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0)
+         {
+             /* discard duplicate %%CollationBin if any*/
+         }
+-        else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString())
+        else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString())
+         {
+             StringResource *sr = static_cast<StringResource *>(member);
+             rules = sr->fString;
+@@ -1395,7 +1395,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+     struct UString    *tokenValue;
+     struct UString     comment;
+     enum   ETokenType  token;
+-    char               subtag[1024], typeKeyword[1024];
+    CharString         subtag, typeKeyword;
+     uint32_t           line;
+ 
+     result = table_open(state->bundle, tag, nullptr, status);
+@@ -1437,7 +1437,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 return nullptr;
+             }
+ 
+-            u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+            subtag.clear();
+            subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+ 
+             if (U_FAILURE(*status))
+             {
+@@ -1445,9 +1446,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 return nullptr;
+             }
+ 
+-            if (uprv_strcmp(subtag, "default") == 0)
+            if (uprv_strcmp(subtag.data(), "default") == 0)
+             {
+-                member = parseResource(state, subtag, nullptr, status);
+                member = parseResource(state, subtag.data(), nullptr, status);
+ 
+                 if (U_FAILURE(*status))
+                 {
+@@ -1466,22 +1467,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
+                 if(token == TOK_OPEN_BRACE) {
+                     token = getToken(state, &tokenValue, &comment, &line, status);
+                     TableResource *collationRes;
+-                    if (keepCollationType(subtag)) {
+-                        collationRes = table_open(state->bundle, subtag, nullptr, status);
+                    if (keepCollationType(subtag.data())) {
+                        collationRes = table_open(state->bundle, subtag.data(), nullptr, status);
+                     } else {
+                         collationRes = nullptr;
+                     }
+                     // need to parse the collation data regardless
+-                    collationRes = addCollation(state, collationRes, subtag, startline, status);
+                    collationRes = addCollation(state, collationRes, subtag.data(), startline, status);
+                     if (collationRes != nullptr) {
+                         result->add(collationRes, startline, *status);
+                     }
+                 } else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */
+                     /* we could have a table too */
+                     token = peekToken(state, 1, &tokenValue, &line, &comment, status);
+-                    u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1);
+-                    if(uprv_strcmp(typeKeyword, "alias") == 0) {
+-                        member = parseResource(state, subtag, nullptr, status);
+                    typeKeyword.clear();
+                    typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+                    if (U_FAILURE(*status))
+                    {
+                        res_close(result);
+                        return nullptr;
+                    }
+
+                    if(uprv_strcmp(typeKeyword.data(), "alias") == 0) {
+                        member = parseResource(state, subtag.data(), nullptr, status);
+                         if (U_FAILURE(*status))
+                         {
+                             res_close(result);
+@@ -1523,7 +1531,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+     struct UString    *tokenValue=nullptr;
+     struct UString    comment;
+     enum   ETokenType token;
+-    char              subtag[1024];
+    CharString        subtag;
+     uint32_t          line;
+     UBool             readToken = false;
+ 
+@@ -1562,7 +1570,8 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+         }
+ 
+         if(uprv_isInvariantUString(tokenValue->fChars, -1)) {
+-            u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
+            subtag.clear();
+            subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
+         } else {
+             *status = U_INVALID_FORMAT_ERROR;
+             error(line, "invariant characters required for table keys");
+@@ -1575,7 +1584,7 @@ realParseTable(ParseState* state, TableResource *table, char *tag, uint32_t star
+             return nullptr;
+         }
+ 
+-        member = parseResource(state, subtag, &comment, status);
+        member = parseResource(state, subtag.data(), &comment, status);
+ 
+         if (member == nullptr || U_FAILURE(*status))
+         {
+-- 
+2.34.1
diff --git a/meta/recipes-support/icu/icu_76-1.bb b/meta/recipes-support/icu/icu_76-1.bb
index f11e72d356..24470ec330 100644
--- a/meta/recipes-support/icu/icu_76-1.bb
+++ b/meta/recipes-support/icu/icu_76-1.bb
@@ -119,6 +119,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
           ${DATA_SRC_URI};name=data \
           file://filter.json \
           file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2025-5222.patch \
           "
 SRC_URI:append:class-target = "\
author	Changqing Li <changqing.li@windriver.com>	2025-07-07 17:12:00 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-07-17 13:57:58 -0700
commit	9613e1167e2d06e65f21f6e59719d4008904cb21 (patch)
tree	66c0a18f7e83909bf0eb1bb8bb2d48cf9bd2fa14
parent	41038342a471b4a8884548568ad147a1704253a3 (diff)
download	poky-9613e1167e2d06e65f21f6e59719d4008904cb21.tar.gz

diff --git a/meta/recipes-support/icu/icu/CVE-2025-5222.patch b/meta/recipes-support/icu/icu/CVE-2025-5222.patch new file mode 100644 index 0000000000..276d9e4f90 --- /dev/null +++ b/meta/recipes-support/icu/icu/CVE-2025-5222.patch
@@ -0,0 +1,166 @@
		1	From b5fd1ccf1068140ca9333878f2172a0947986ca8 Mon Sep 17 00:00:00 2001
		2	From: Frank Tang <ftang@chromium.org>
		3	Date: Wed, 22 Jan 2025 11:50:59 -0800
		4	Subject: [PATCH] ICU-22973 Fix buffer overflow by using CharString
		5
		6	CVE: CVE-2025-5222
		7	Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77]
		8
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10	---
		11	tools/genrb/parse.cpp \| 49 +++++++++++++++++++++---------------
		12	1 file changed, 29 insertions(+), 20 deletions(-)
		13
		14	diff --git a/tools/genrb/parse.cpp b/tools/genrb/parse.cpp
		15	index f487241..eb85d51 100644
		16	--- a/tools/genrb/parse.cpp
		17	+++ b/tools/genrb/parse.cpp
		18	@@ -1153,7 +1153,7 @@ addCollation(ParseState* state, TableResource result, const char collationTyp
		19	struct UString *tokenValue;
		20	struct UString comment;
		21	enum ETokenType token;
		22	- char subtag[1024];
		23	+ CharString subtag;
		24	UnicodeString rules;
		25	UBool haveRules = false;
		26	UVersionInfo version;
		27	@@ -1189,15 +1189,15 @@ addCollation(ParseState* state, TableResource result, const char collationTyp
		28	return nullptr;
		29	}
		30
		31	- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
		32	-
		33	+ subtag.clear();
		34	+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
		35	if (U_FAILURE(*status))
		36	{
		37	res_close(result);
		38	return nullptr;
		39	}
		40
		41	- member = parseResource(state, subtag, nullptr, status);
		42	+ member = parseResource(state, subtag.data(), nullptr, status);
		43
		44	if (U_FAILURE(*status))
		45	{
		46	@@ -1208,7 +1208,7 @@ addCollation(ParseState* state, TableResource result, const char collationTyp
		47	{
		48	// Ignore the parsed resources, continue parsing.
		49	}
		50	- else if (uprv_strcmp(subtag, "Version") == 0 && member->isString())
		51	+ else if (uprv_strcmp(subtag.data(), "Version") == 0 && member->isString())
		52	{
		53	StringResource sr = static_cast<StringResource >(member);
		54	char ver[40];
		55	@@ -1225,11 +1225,11 @@ addCollation(ParseState* state, TableResource result, const char collationTyp
		56	result->add(member, line, *status);
		57	member = nullptr;
		58	}
		59	- else if(uprv_strcmp(subtag, "%%CollationBin")==0)
		60	+ else if(uprv_strcmp(subtag.data(), "%%CollationBin")==0)
		61	{
		62	/* discard duplicate %%CollationBin if any*/
		63	}
		64	- else if (uprv_strcmp(subtag, "Sequence") == 0 && member->isString())
		65	+ else if (uprv_strcmp(subtag.data(), "Sequence") == 0 && member->isString())
		66	{
		67	StringResource sr = static_cast<StringResource >(member);
		68	rules = sr->fString;
		69	@@ -1395,7 +1395,7 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
		70	struct UString *tokenValue;
		71	struct UString comment;
		72	enum ETokenType token;
		73	- char subtag[1024], typeKeyword[1024];
		74	+ CharString subtag, typeKeyword;
		75	uint32_t line;
		76
		77	result = table_open(state->bundle, tag, nullptr, status);
		78	@@ -1437,7 +1437,8 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
		79	return nullptr;
		80	}
		81
		82	- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
		83	+ subtag.clear();
		84	+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
		85
		86	if (U_FAILURE(*status))
		87	{
		88	@@ -1445,9 +1446,9 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
		89	return nullptr;
		90	}
		91
		92	- if (uprv_strcmp(subtag, "default") == 0)
		93	+ if (uprv_strcmp(subtag.data(), "default") == 0)
		94	{
		95	- member = parseResource(state, subtag, nullptr, status);
		96	+ member = parseResource(state, subtag.data(), nullptr, status);
		97
		98	if (U_FAILURE(*status))
		99	{
		100	@@ -1466,22 +1467,29 @@ parseCollationElements(ParseState* state, char *tag, uint32_t startline, UBool n
		101	if(token == TOK_OPEN_BRACE) {
		102	token = getToken(state, &tokenValue, &comment, &line, status);
		103	TableResource *collationRes;
		104	- if (keepCollationType(subtag)) {
		105	- collationRes = table_open(state->bundle, subtag, nullptr, status);
		106	+ if (keepCollationType(subtag.data())) {
		107	+ collationRes = table_open(state->bundle, subtag.data(), nullptr, status);
		108	} else {
		109	collationRes = nullptr;
		110	}
		111	// need to parse the collation data regardless
		112	- collationRes = addCollation(state, collationRes, subtag, startline, status);
		113	+ collationRes = addCollation(state, collationRes, subtag.data(), startline, status);
		114	if (collationRes != nullptr) {
		115	result->add(collationRes, startline, *status);
		116	}
		117	} else if(token == TOK_COLON) { /* right now, we'll just try to see if we have aliases */
		118	/* we could have a table too */
		119	token = peekToken(state, 1, &tokenValue, &line, &comment, status);
		120	- u_UCharsToChars(tokenValue->fChars, typeKeyword, u_strlen(tokenValue->fChars) + 1);
		121	- if(uprv_strcmp(typeKeyword, "alias") == 0) {
		122	- member = parseResource(state, subtag, nullptr, status);
		123	+ typeKeyword.clear();
		124	+ typeKeyword.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
		125	+ if (U_FAILURE(*status))
		126	+ {
		127	+ res_close(result);
		128	+ return nullptr;
		129	+ }
		130	+
		131	+ if(uprv_strcmp(typeKeyword.data(), "alias") == 0) {
		132	+ member = parseResource(state, subtag.data(), nullptr, status);
		133	if (U_FAILURE(*status))
		134	{
		135	res_close(result);
		136	@@ -1523,7 +1531,7 @@ realParseTable(ParseState* state, TableResource table, char tag, uint32_t star
		137	struct UString *tokenValue=nullptr;
		138	struct UString comment;
		139	enum ETokenType token;
		140	- char subtag[1024];
		141	+ CharString subtag;
		142	uint32_t line;
		143	UBool readToken = false;
		144
		145	@@ -1562,7 +1570,8 @@ realParseTable(ParseState* state, TableResource table, char tag, uint32_t star
		146	}
		147
		148	if(uprv_isInvariantUString(tokenValue->fChars, -1)) {
		149	- u_UCharsToChars(tokenValue->fChars, subtag, u_strlen(tokenValue->fChars) + 1);
		150	+ subtag.clear();
		151	+ subtag.appendInvariantChars(tokenValue->fChars, u_strlen(tokenValue->fChars), *status);
		152	} else {
		153	*status = U_INVALID_FORMAT_ERROR;
		154	error(line, "invariant characters required for table keys");
		155	@@ -1575,7 +1584,7 @@ realParseTable(ParseState* state, TableResource table, char tag, uint32_t star
		156	return nullptr;
		157	}
		158
		159	- member = parseResource(state, subtag, &comment, status);
		160	+ member = parseResource(state, subtag.data(), &comment, status);
		161
		162	if (member == nullptr \|\| U_FAILURE(*status))
		163	{
		164	--
		165	2.34.1
		166


diff --git a/meta/recipes-support/icu/icu_76-1.bb b/meta/recipes-support/icu/icu_76-1.bb index f11e72d356..24470ec330 100644 --- a/meta/recipes-support/icu/icu_76-1.bb +++ b/meta/recipes-support/icu/icu_76-1.bb
@@ -119,6 +119,7 @@ SRC_URI = "${BASE_SRC_URI};name=code \
119	${DATA_SRC_URI};name=data \	119	${DATA_SRC_URI};name=data \
120	file://filter.json \	120	file://filter.json \
121	file://0001-icu-Added-armeb-support.patch \	121	file://0001-icu-Added-armeb-support.patch \
		122	file://CVE-2025-5222.patch \
122	"	123	"
123		124
124	SRC_URI:append:class-target = "\	125	SRC_URI:append:class-target = "\