spdlog: patch CVE-2025-6140

Pick commit [1] mentioned in [2] as listed in [3]. [1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 [2] https://github.com/gabime/spdlog/issues/3360 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-12 14:56:56 +0200
committer: Armin Kuster <akuster808@gmail.com> 2025-08-02 13:37:04 -0400
commit: 1fb08208681dd042d35b22c521208044b1cf3500 (patch)
tree: d3d687240fa2e7d5cf42b62d0360f90b3ae7061a
parent: ba84c52d551eaeb9a642b3360fc63719abe06983 (diff)
download: meta-openembedded-1fb08208681dd042d35b22c521208044b1cf3500.tar.gz
2 files changed, 38 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
new file mode 100644
index 0000000000..3707d9e9c4
--- /dev/null
+++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
@@ -0,0 +1,35 @@
+From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001
+From: Gabi Melman <gmelman1@gmail.com>
+Date: Mon, 17 Mar 2025 15:46:31 +0200
+Subject: [PATCH] Fixed issue #3360 (#3361)
+CVE: CVE-2025-6140
+Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/spdlog/pattern_formatter-inl.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h
+index b53d8051..fd408ed5 100644
+--- a/include/spdlog/pattern_formatter-inl.h
+++ b/include/spdlog/pattern_formatter-inl.h
+@@ -65,6 +65,9 @@ public:
+             pad_it(remaining_pad_);
+         } else if (padinfo_.truncate_) {
+             long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
+            if (new_size < 0) {
+                new_size = 0;
+            }
+             dest_.resize(static_cast<size_t>(new_size));
+         }
+     }
+@@ -259,7 +262,7 @@ public:
+         : flag_formatter(padinfo) {}
+ 
+     void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override {
+-        const size_t field_size = 10;
+        const size_t field_size = 8;
+         ScopedPadder p(field_size, padinfo_, dest);
+ 
+         fmt_helper::pad2(tm_time.tm_mon + 1, dest);
diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb
index c6a0881db9..5761766ca8 100644
--- a/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb
+++ b/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb
@@ -4,7 +4,9 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9573510928429ad0cbe5ba4de77546e9"
 SRCREV = "7c02e204c92545f869e2f04edaab1f19fe8b19fd"
-SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x"
+SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x \
+    file://CVE-2025-6140.patch \
+"
 DEPENDS = "fmt"
author	Peter Marko <peter.marko@siemens.com>	2025-07-12 14:56:56 +0200
committer	Armin Kuster <akuster808@gmail.com>	2025-08-02 13:37:04 -0400
commit	1fb08208681dd042d35b22c521208044b1cf3500 (patch)
tree	d3d687240fa2e7d5cf42b62d0360f90b3ae7061a
parent	ba84c52d551eaeb9a642b3360fc63719abe06983 (diff)
download	meta-openembedded-1fb08208681dd042d35b22c521208044b1cf3500.tar.gz

diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch new file mode 100644 index 0000000000..3707d9e9c4 --- /dev/null +++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
@@ -0,0 +1,35 @@
		1	From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001
		2	From: Gabi Melman <gmelman1@gmail.com>
		3	Date: Mon, 17 Mar 2025 15:46:31 +0200
		4	Subject: [PATCH] Fixed issue #3360 (#3361)
		5
		6	CVE: CVE-2025-6140
		7	Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	include/spdlog/pattern_formatter-inl.h \| 5 ++++-
		11	1 file changed, 4 insertions(+), 1 deletion(-)
		12
		13	diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h
		14	index b53d8051..fd408ed5 100644
		15	--- a/include/spdlog/pattern_formatter-inl.h
		16	+++ b/include/spdlog/pattern_formatter-inl.h
		17	@@ -65,6 +65,9 @@ public:
		18	pad_it(remaining_pad_);
		19	} else if (padinfo_.truncate_) {
		20	long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
		21	+ if (new_size < 0) {
		22	+ new_size = 0;
		23	+ }
		24	dest_.resize(static_cast<size_t>(new_size));
		25	}
		26	}
		27	@@ -259,7 +262,7 @@ public:
		28	: flag_formatter(padinfo) {}
		29
		30	void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override {
		31	- const size_t field_size = 10;
		32	+ const size_t field_size = 8;
		33	ScopedPadder p(field_size, padinfo_, dest);
		34
		35	fmt_helper::pad2(tm_time.tm_mon + 1, dest);


diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb b/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb index c6a0881db9..5761766ca8 100644 --- a/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb +++ b/meta-oe/recipes-support/spdlog/spdlog_1.13.0.bb
@@ -4,7 +4,9 @@ LICENSE = "MIT"
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=9573510928429ad0cbe5ba4de77546e9"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=9573510928429ad0cbe5ba4de77546e9"
5		5
6	SRCREV = "7c02e204c92545f869e2f04edaab1f19fe8b19fd"	6	SRCREV = "7c02e204c92545f869e2f04edaab1f19fe8b19fd"
7	SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x"	7	SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x \
		8	file://CVE-2025-6140.patch \
		9	"
8		10
9	DEPENDS = "fmt"	11	DEPENDS = "fmt"
10		12