From: Petr Vorel Date: Sun, 8 Jun 2025 21:01:52 +0000 (+0200) Subject: iputils: upgrade 20240905 -> 20250605 X-Git-Tag: uninative-4.8~170 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=846b7dcb5a41ec017581913bb438d43d1d59109f;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git iputils: upgrade 20240905 -> 20250605 Bugfix release: https://github.com/iputils/iputils/releases/tag/20250605 This also includes security release update https://github.com/iputils/iputils/releases/tag/20250602 Security release, fixes CVE-2025-47268 and CVE-2025-48964 (therefore remove backported fix CVE-2025-47268.patch Signed-off-by: Petr Vorel Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch b/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch deleted file mode 100644 index dd31b79031f..00000000000 --- a/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 070cfacd7348386173231fb16fad4983d4e6ae40 Mon Sep 17 00:00:00 2001 -From: Petr Vorel -Date: Mon, 5 May 2025 23:55:57 +0200 -Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation - -Crafted ICMP Echo Reply packet can cause signed integer overflow in - -1) triptime calculation: -triptime = tv->tv_sec * 1000000 + tv->tv_usec; - -2) tsum2 increment which uses triptime -rts->tsum2 += (double)((long long)triptime * (long long)triptime); - -3) final tmvar: -tmvar = (rts->tsum2 / total) - (tmavg * tmavg) - - $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer" - $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" - $ meson setup .. -Db_sanitize=address,undefined - $ ninja - $ ./ping/ping -c2 127.0.0.1 - - PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. - 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms - ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int' - ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int' - ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int' - 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) - ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures - ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures - 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) - ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int' - 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms - - --- 127.0.0.1 ping statistics --- - 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms - ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int' - rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms - -To fix the overflow check allowed ranges of struct timeval members: -* tv_sec <0, LONG_MAX/1000000> -* tv_usec <0, 999999> - -Fix includes 2 new error messages (needs translation). -Also existing message "time of day goes back ..." needed to be modified -as it now prints tv->tv_sec which is a second (needs translation update). - -After fix: - - $ ./ping/ping -c2 127.0.0.1 - 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms - ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us - ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures - ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us - ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures - 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) - ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us - ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures - 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) - 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms - - --- 127.0.0.1 ping statistics --- - 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms - rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms - -Fixes: https://github.com/iputils/iputils/issues/584 -Fixes: CVE-2025-472 -Link: https://github.com/Zephkek/ping-rtt-overflow/ -Co-developed-by: Cyril Hrubis -Reported-by: Mohamed Maatallah -Reviewed-by: Mohamed Maatallah -Reviewed-by: Cyril Hrubis -Reviewed-by: Noah Meyerhans -Signed-off-by: Petr Vorel - -CVE: CVE-2025-47268 - -Upstream-Status: Backport -[https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40] - -Signed-off-by: Yi Zhao ---- - iputils_common.h | 3 +++ - ping/ping_common.c | 22 +++++++++++++++++++--- - 2 files changed, 22 insertions(+), 3 deletions(-) - -diff --git a/iputils_common.h b/iputils_common.h -index 49e790d..829a749 100644 ---- a/iputils_common.h -+++ b/iputils_common.h -@@ -10,6 +10,9 @@ - !!__builtin_types_compatible_p(__typeof__(arr), \ - __typeof__(&arr[0]))])) * 0) - -+/* 1000001 = 1000000 tv_sec + 1 tv_usec */ -+#define TV_SEC_MAX_VAL (LONG_MAX/1000001) -+ - #ifdef __GNUC__ - # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) - #else -diff --git a/ping/ping_common.c b/ping/ping_common.c -index dadd2a4..4e99d89 100644 ---- a/ping/ping_common.c -+++ b/ping/ping_common.c -@@ -754,16 +754,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, - - restamp: - tvsub(tv, &tmp_tv); -- triptime = tv->tv_sec * 1000000 + tv->tv_usec; -- if (triptime < 0) { -- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); -+ -+ if (tv->tv_usec >= 1000000) { -+ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); -+ tv->tv_usec = 999999; -+ } -+ -+ if (tv->tv_usec < 0) { -+ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); -+ tv->tv_usec = 0; -+ } -+ -+ if (tv->tv_sec > TV_SEC_MAX_VAL) { -+ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); -+ triptime = 0; -+ } else if (tv->tv_sec < 0) { -+ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); - triptime = 0; - if (!rts->opt_latency) { - gettimeofday(tv, NULL); - rts->opt_latency = 1; - goto restamp; - } -+ } else { -+ triptime = tv->tv_sec * 1000000 + tv->tv_usec; - } -+ - if (!csfailed) { - rts->tsum += triptime; - rts->tsum2 += (double)((long long)triptime * (long long)triptime); --- -2.34.1 - diff --git a/meta/recipes-extended/iputils/iputils_20240905.bb b/meta/recipes-extended/iputils/iputils_20250605.bb similarity index 95% rename from meta/recipes-extended/iputils/iputils_20240905.bb rename to meta/recipes-extended/iputils/iputils_20250605.bb index 64d58a91c28..a62ea65ba8a 100644 --- a/meta/recipes-extended/iputils/iputils_20240905.bb +++ b/meta/recipes-extended/iputils/iputils_20250605.bb @@ -11,9 +11,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=627cc07ec86a45951d43e30658bbd819" DEPENDS = "gnutls" SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \ - file://CVE-2025-47268.patch \ " -SRCREV = "10b50784aae3fb75c96cdf9b1668916b49557dd5" +SRCREV = "6e1cb146547eb6fbb127ffc8397a9241be0d33c2" S = "${WORKDIR}/git"