mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

systemd: fix for CVE-2026-40225

Browse Source 
Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2].

[0] https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc
[1] https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d
[2] https://security-tracker.debian.org/tracker/CVE-2026-40225

More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40225

(From OE-Core rev: fc2d33dbb2d5180b77c10865156db342f9d582da)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Hitendra Prajapati
2026-04-28 17:55:28 +05:30
committed by Paul Barker
parent e9575f38d7
commit f036698406
3 changed files with 172 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch
+131
View File
@@ -0,0 +1,131 @@
From 03bb697b8df0339c37f4b845025320b261aeb7cc Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 6 Mar 2026 19:32:35 +0000
Subject: [PATCH] udev: check for invalid chars in various fields received from
the kernel
(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)
CVE: CVE-2026-40225
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++-
src/udev/scsi_id/scsi_id.c | 5 +++--
src/udev/udev-builtin-net_id.c | 9 +++++++++
src/udev/v4l_id/v4l_id.c | 5 ++++-
4 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
index 52ea250af8..4f2c21b80b 100644
--- a/src/udev/dmi_memory_id/dmi_memory_id.c
+++ b/src/udev/dmi_memory_id/dmi_memory_id.c
@@ -51,6 +51,7 @@
#include "string-util.h"
#include "udev-util.h"
#include "unaligned.h"
+#include "utf8.h"
#define SUPPORTED_SMBIOS_VER 0x030300
@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
str = strdupa_safe(dmi_string(h, s));
str = strstrip(str);
- if (!isempty(str))
+ if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
}
diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
index 6308c52b7e..7e18bc755a 100644
--- a/src/udev/scsi_id/scsi_id.c
+++ b/src/udev/scsi_id/scsi_id.c
@@ -27,6 +27,7 @@
#include "strv.h"
#include "strxcpyx.h"
#include "udev-util.h"
+#include "utf8.h"
static const struct option options[] = {
{ "device", required_argument, NULL, 'd' },
@@ -443,8 +444,8 @@ static int scsi_id(char *maj_min_dev) {
}
if (dev_scsi.tgpt_group[0] != '\0')
printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
- if (dev_scsi.unit_serial_number[0] != '\0')
- printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
+ printf("ID_SCSI_SERIAL=%s\n", serial_str);
goto out;
}
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index 91b40088f4..715184e282 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -39,6 +39,7 @@
#include "strv.h"
#include "strxcpyx.h"
#include "udev-builtin.h"
+#include "utf8.h"
#define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
#define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
@@ -247,6 +248,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
}
}
+ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+
/* Otherwise, use phys_port_name as is. */
buf = strjoin("n", phys_port_name);
if (!buf)
@@ -351,6 +355,9 @@ static int names_pci_onboard_label(sd_device *dev, sd_device *pci_dev, const cha
if (r < 0)
return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+ if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
+
char str[ALTIFNAMSIZ];
if (snprintf_ok(str, sizeof str, "%s%s",
naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix,
@@ -1209,6 +1216,8 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) {
if (isempty(phys_port_name))
return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
"The 'phys_port_name' attribute is empty.");
+ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
char str[ALTIFNAMSIZ];
if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
index 30527e9556..2ec96d8d3a 100644
--- a/src/udev/v4l_id/v4l_id.c
+++ b/src/udev/v4l_id/v4l_id.c
@@ -29,6 +29,8 @@
#include "build.h"
#include "fd-util.h"
#include "main-func.h"
+#include "string-util.h"
+#include "utf8.h"
static const char *arg_device = NULL;
@@ -82,7 +84,8 @@ static int run(int argc, char *argv[]) {
int capabilities;
printf("ID_V4L_VERSION=2\n");
- printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+ if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
+ printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
printf("ID_V4L_CAPABILITIES=:");
if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
--
2.50.1
meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch
+39
View File
@@ -0,0 +1,39 @@
From 5887e72ff87d3a66a4c3fa91897fbec1545f4d3d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 13 Mar 2026 11:10:47 +0000
Subject: [PATCH] udev: fix review mixup
The previous version in the PR changed variable and sanitized it
in place. The second version switched to skip if CCs are in the
string instead, but didn't move back to the original variable.
Because it's an existing variable, no CI caught it.
Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820)
(cherry picked from commit 4425d8523e79f3cc00b3b93a0b5e7c6cdc284a97)
(cherry picked from commit 75c585beae60e73208941e6b3f64cf249223f53d)
CVE: CVE-2026-40225
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/udev/scsi_id/scsi_id.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
index 7e18bc755a..b2df8d9f7f 100644
--- a/src/udev/scsi_id/scsi_id.c
+++ b/src/udev/scsi_id/scsi_id.c
@@ -445,7 +445,7 @@ static int scsi_id(char *maj_min_dev) {
if (dev_scsi.tgpt_group[0] != '\0')
printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
- printf("ID_SCSI_SERIAL=%s\n", serial_str);
+ printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
goto out;
}
--
2.50.1
meta/recipes-core/systemd/systemd_255.21.bb
+2
View File
@@ -29,6 +29,8 @@ SRC_URI += " \
file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
file://CVE-2026-40225-01.patch \
file://CVE-2026-40225-02.patch \
"
# patches needed by musl