avahi: patch CVE-2025-68468

(From OE-Core rev: 1eebd6d5bd5d930aa8ec68f73789ff0bd742441c) Signed-off-by: Amaury Couderc <amaury.couderc@est.tech> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9f2ed8adc37a42b561b3c4853cf8106fba39889e) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Amaury Couderc <amaury.couderc@est.tech> 2026-02-09 15:21:00 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-02-27 17:45:06 +0000
commit: 0d954471b5e161db24547eff3b503ceeebb29512 (patch)
tree: 8a1ab8e24689ab3710a9b3e6e621a13db79d74d3 /meta/recipes-connectivity
parent: a57370d30cf961c4ad0158eef0d7990111eda07e (diff)
download: poky-0d954471b5e161db24547eff3b503ceeebb29512.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index bb20fd17cc..34d95f48cd 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -38,6 +38,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
           file://CVE-2024-52616.patch \
           file://CVE-2024-52615.patch \
           file://CVE-2025-68276.patch \
+           file://CVE-2025-68468.patch \
           "
 GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
new file mode 100644
index 0000000000..3635cc8d53
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
@@ -0,0 +1,32 @@
+From 483f83828cfda965fac914ff1b39c63c256372b2 Mon Sep 17 00:00:00 2001
+From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
+Date: Sun, 2 Mar 2025 18:06:24 +0100
+Subject: [PATCH] core: fix DoS bug by removing incorrect assertion
+Closes https://github.com/avahi/avahi/issues/683
+CVE: CVE-2025-68468
+Upstream-Status: Backport
+[https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a]
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ avahi-core/browse.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 86e4432..79595fe 100644
+--- a/avahi-core/browse.c
+++ b/avahi-core/browse.c
+@@ -295,7 +295,6 @@ static void lookup_multicast_callback(
+                 lookup_drop_cname(l, interface, protocol, 0, r);
+             else {
+                 /* It's a normal record, so let's call the user callback */
+-                assert(avahi_key_equal(b->key, l->key));
+ 
+                 b->callback(b, interface, protocol, event, r, flags, b->userdata);
+             }
+-- 
+2.43.0
author	Amaury Couderc <amaury.couderc@est.tech>	2026-02-09 15:21:00 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-02-27 17:45:06 +0000
commit	0d954471b5e161db24547eff3b503ceeebb29512 (patch)
tree	8a1ab8e24689ab3710a9b3e6e621a13db79d74d3 /meta/recipes-connectivity
parent	a57370d30cf961c4ad0158eef0d7990111eda07e (diff)
download	poky-0d954471b5e161db24547eff3b503ceeebb29512.tar.gz

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index bb20fd17cc..34d95f48cd 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -38,6 +38,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
38	file://CVE-2024-52616.patch \	38	file://CVE-2024-52616.patch \
39	file://CVE-2024-52615.patch \	39	file://CVE-2024-52615.patch \
40	file://CVE-2025-68276.patch \	40	file://CVE-2025-68276.patch \
		41	file://CVE-2025-68468.patch \
41	"	42	"
42		43
43	GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"	44	GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"


diff --git a/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch new file mode 100644 index 0000000000..3635cc8d53 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2025-68468.patch
@@ -0,0 +1,32 @@
		1	From 483f83828cfda965fac914ff1b39c63c256372b2 Mon Sep 17 00:00:00 2001
		2	From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
		3	Date: Sun, 2 Mar 2025 18:06:24 +0100
		4	Subject: [PATCH] core: fix DoS bug by removing incorrect assertion
		5
		6	Closes https://github.com/avahi/avahi/issues/683
		7
		8	CVE: CVE-2025-68468
		9
		10	Upstream-Status: Backport
		11	[https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a]
		12
		13	Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
		14	---
		15	avahi-core/browse.c \| 1 -
		16	1 file changed, 1 deletion(-)
		17
		18	diff --git a/avahi-core/browse.c b/avahi-core/browse.c
		19	index 86e4432..79595fe 100644
		20	--- a/avahi-core/browse.c
		21	+++ b/avahi-core/browse.c
		22	@@ -295,7 +295,6 @@ static void lookup_multicast_callback(
		23	lookup_drop_cname(l, interface, protocol, 0, r);
		24	else {
		25	/* It's a normal record, so let's call the user callback */
		26	- assert(avahi_key_equal(b->key, l->key));
		27
		28	b->callback(b, interface, protocol, event, r, flags, b->userdata);
		29	}
		30	--
		31	2.43.0
		32