mirror of
https://git.yoctoproject.org/poky
synced 2026-06-29 17:13:38 +02:00
dpkg: Fix CVE-2026-2219
This patch applies the upstream fix as referenced in [2], using the commit shown in [1]. [1] https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-2219 (From OE-Core rev: 66055d7f179d0d838c2139d9d2399a968c6f6529) Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Shubham Pushpkar
committed by
Paul Barker
Paul Barker
parent
b04b16e965
commit
09f201c834
47
meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch
Normal file
47
meta/recipes-devtools/dpkg/dpkg/CVE-2026-2219.patch
Normal file
@@ -0,0 +1,47 @@
|
||||
From 6610297a62c0780dd0e80b0e302ef64fdcc9d313 Mon Sep 17 00:00:00 2001
|
||||
From: Guillem Jover <guillem@debian.org>
|
||||
Date: Sat, 7 Feb 2026 00:57:55 +0100
|
||||
Subject: [PATCH] libdpkg: Terminate zstd decompression when we have no more
|
||||
data
|
||||
|
||||
We should be checking whether the input buffer is zero-sized, and then
|
||||
mark the stream as finished. Otherwise the zstd implementation does not
|
||||
detect that as an end of stream situation and we get stuck in an
|
||||
infinite loop spinning the CPU. This means the decompression process
|
||||
in dpkg-deb does not terminate, so no EPIPE gets generated and the
|
||||
other processes that are part of the unpacking do not stop either.
|
||||
|
||||
Reported-by: Yashashree Gund <yash_gund@live.com>
|
||||
Fixes: commit 2c2f7066bd8c3209762762fa6905fa567b08ca5a
|
||||
Fixes: CVE-2026-2219
|
||||
Closes: #1129722
|
||||
Stable-Candidate: 1.21.x 1.22.x
|
||||
|
||||
CVE: CVE-2026-2219
|
||||
Upstream-Status: Backport [https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313]
|
||||
|
||||
(cherry picked from commit 6610297a62c0780dd0e80b0e302ef64fdcc9d313)
|
||||
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
|
||||
---
|
||||
lib/dpkg/compress.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/lib/dpkg/compress.c b/lib/dpkg/compress.c
|
||||
index adf26ea7..bf73affe 100644
|
||||
--- a/lib/dpkg/compress.c
|
||||
+++ b/lib/dpkg/compress.c
|
||||
@@ -1070,6 +1070,11 @@ filter_unzstd_code(struct io_zstd *io, struct io_zstd_stream *s)
|
||||
ZSTD_outBuffer buf_out = { s->next_out, s->avail_out, 0 };
|
||||
size_t ret;
|
||||
|
||||
+ if (buf_in.size == 0) {
|
||||
+ s->status = DPKG_STREAM_END;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
ret = ZSTD_decompressStream(s->ctx.d, &buf_out, &buf_in);
|
||||
if (ZSTD_isError(ret))
|
||||
filter_zstd_error(io, ret);
|
||||
--
|
||||
2.35.6
|
||||
|
||||
@@ -15,6 +15,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main
|
||||
file://pager.patch \
|
||||
file://0001-Add-support-for-riscv32-CPU.patch \
|
||||
file://CVE-2025-6297.patch \
|
||||
file://CVE-2026-2219.patch \
|
||||
"
|
||||
|
||||
SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch"
|
||||
|
||||
Reference in New Issue
Block a user