On Fri, 2026-06-12 at 16:25 +0200, Jérémy Rosen via lists.openembedded.org wrote: > From: Sudhir Dumbhare <[email protected]>
+Cc Sudhir > > - This patch applies the upstream fix [5] as referenced in [7]. > - To successfully apply the fixed commit, apply the dependent commits [2] to > [4] > which are included in v2.8.6, as referenced in [7]. > - Additionally, include dependent commit [1] from v2.8.3, as referenced in [8] > under the [2.5.4-38.2] description, along with compilation fix commit [6] > from v2.7.1 > - Reference: > [1] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790 > [2] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58 > [3] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe > [4] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92 > [5] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899 > [6] > https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a > [7] https://security-tracker.debian.org/tracker/CVE-2025-12801 > [8] https://linux.oracle.com/errata/ELSA-2026-3940.html > > Signed-off-by: Sudhir Dumbhare <[email protected]> > Signed-off-by: Jeremy Rosen <[email protected]> [snip] > diff --git > a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch > > b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch > new file mode 100644 > index 0000000000..223249a9d6 > --- /dev/null > +++ > b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch > @@ -0,0 +1,71 @@ > +From 647c9cb3ac3cbdf9ffd9e29f7d5dd04da84afdbc Mon Sep 17 00:00:00 2001 > +From: Christopher Bii <[email protected]> > +Date: Wed, 15 Jan 2025 12:10:48 -0500 > +Subject: [PATCH] NFS export symlink vulnerability fix > + > +Replaced dangerous use of realpath within support/nfs/export.c with > +nfsd_realpath variant that is executed within the chrooted thread > +rather than main thread. > + > +Implemented nfsd_path.h methods to work securely within chrooted > +thread using nfsd_run_task() help > + > +CVE: CVE-2025-12801 > +Upstream-Status: Backport > [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a] > + > +Backport Changes: > +- In support/misc/nfsd_path.c file, only nfsd_run_task() and the > + struct nfsd_task_t have been included to resolve a compilation > + issue. All other non-essential changes were excluded. > +- The non-required file support/export/cache.c and support/nfs/exports.c > + has been excluded. > + > +Signed-off-by: Christopher Bii <[email protected]> > +Signed-off-by: Steve Dickson <[email protected]> > +(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a) > +Signed-off-by: Sudhir Dumbhare <[email protected]> > +--- > + support/include/nfsd_path.h | 1 + > + support/misc/nfsd_path.c | 14 +++++++++++++- > + 2 files changed, 14 insertions(+), 1 deletion(-) > + > +diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h > +index aa1e1dd0..4f5fc44e 100644 > +--- a/support/include/nfsd_path.h > ++++ b/support/include/nfsd_path.h > +@@ -8,6 +8,7 @@ > + > + struct file_handle; > + struct statfs; > ++struct nfsd_task_t; > + > + void nfsd_path_init(void); > + > +diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c > +index c3dea4f0..fa908f7c 100644 > +--- a/support/misc/nfsd_path.c > ++++ b/support/misc/nfsd_path.c > +@@ -19,7 +19,19 @@ > + #include "nfsd_path.h" > + #include "workqueue.h" > + > +-static struct xthread_workqueue *nfsd_wq; > ++static struct xthread_workqueue *nfsd_wq = NULL; > ++ > ++struct nfsd_task_t { > ++ int ret; > ++ void* data; > ++}; > ++/* Function used to offload tasks that must be ran within the correct > ++ * chroot environment. > ++ */ > ++static void > ++nfsd_run_task(void (*func)(void*), void* data){ > ++ nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data); > ++}; > + > + static int > + nfsd_path_isslash(const char *path) > +-- > +2.35.6 > + Reading the commit message, and looking at the diff in the original commit [1], I think we should apply the complete patch here. And it seems that's what RedHat have done when backporting this fix for RHEL 9 [2]. Sudhir, what's the reason for trimming the patch down? [1]: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a [2]: https://gitlab.com/redhat/centos-stream/rpms/nfs-utils/-/commit/6f332316f7aa605d67f6b60db0be68f63bf28f9c Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238821): https://lists.openembedded.org/g/openembedded-core/message/238821 Mute This Topic: https://lists.openembedded.org/mt/119774419/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
