spdlog: patch CVE-2025-6140

Pick commit [1] mentioned in [2] as listed in [3]. [1] https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094 [2] https://github.com/gabime/spdlog/issues/3360 [3] https://nvd.nist.gov/vuln/detail/CVE-2025-6140 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-12 14:55:12 +0200
committer: Armin Kuster <akuster808@gmail.com> 2025-07-13 14:41:25 -0400
commit: c982a980e98fb7cfed4ded75e82be31eff0e8bd1 (patch)
tree: b9e7022a70331b1c7b4da52a7ebeb447a180ddad
parent: 2e921c24862553df742a6b5ace574fbb942776cc (diff)
download: meta-openembedded-c982a980e98fb7cfed4ded75e82be31eff0e8bd1.tar.gz
2 files changed, 38 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
new file mode 100644
index 0000000000..01e4558ff2
--- /dev/null
+++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
@@ -0,0 +1,35 @@
+From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001
+From: Gabi Melman <gmelman1@gmail.com>
+Date: Mon, 17 Mar 2025 15:46:31 +0200
+Subject: [PATCH] Fixed issue #3360 (#3361)
+CVE: CVE-2025-6140
+Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/spdlog/pattern_formatter-inl.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h
+index b53d8051..fd408ed5 100644
+--- a/include/spdlog/pattern_formatter-inl.h
+++ b/include/spdlog/pattern_formatter-inl.h
+@@ -76,6 +76,9 @@ public:
+         else if (padinfo_.truncate_)
+         {
+             long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
+            if (new_size < 0) {
+                new_size = 0;
+            }
+             dest_.resize(static_cast<size_t>(new_size));
+         }
+     }
+@@ -303,7 +306,7 @@ public:
+ 
+     void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override
+     {
+-        const size_t field_size = 10;
+        const size_t field_size = 8;
+         ScopedPadder p(field_size, padinfo_, dest);
+ 
+         fmt_helper::pad2(tm_time.tm_mon + 1, dest);
diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb b/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb
index 6362fc7a4b..4110ba8a11 100644
--- a/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb
+++ b/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb
@@ -5,7 +5,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/MIT;md5=0835ad
 SRCREV = "eb3220622e73a4889eee355ffa37972b3cac3df5"
 SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x; \
-           file://0001-Enable-use-of-external-fmt-library.patch"
+           file://0001-Enable-use-of-external-fmt-library.patch \
+           file://CVE-2025-6140.patch \
+"
 DEPENDS += "fmt"
author	Peter Marko <peter.marko@siemens.com>	2025-07-12 14:55:12 +0200
committer	Armin Kuster <akuster808@gmail.com>	2025-07-13 14:41:25 -0400
commit	c982a980e98fb7cfed4ded75e82be31eff0e8bd1 (patch)
tree	b9e7022a70331b1c7b4da52a7ebeb447a180ddad
parent	2e921c24862553df742a6b5ace574fbb942776cc (diff)
download	meta-openembedded-c982a980e98fb7cfed4ded75e82be31eff0e8bd1.tar.gz

diff --git a/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch new file mode 100644 index 0000000000..01e4558ff2 --- /dev/null +++ b/meta-oe/recipes-support/spdlog/spdlog/CVE-2025-6140.patch
@@ -0,0 +1,35 @@
		1	From 10320184df1eb4638e253a34b1eb44ce78954094 Mon Sep 17 00:00:00 2001
		2	From: Gabi Melman <gmelman1@gmail.com>
		3	Date: Mon, 17 Mar 2025 15:46:31 +0200
		4	Subject: [PATCH] Fixed issue #3360 (#3361)
		5
		6	CVE: CVE-2025-6140
		7	Upstream-Status: Backport [https://github.com/gabime/spdlog/commit/10320184df1eb4638e253a34b1eb44ce78954094]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	include/spdlog/pattern_formatter-inl.h \| 5 ++++-
		11	1 file changed, 4 insertions(+), 1 deletion(-)
		12
		13	diff --git a/include/spdlog/pattern_formatter-inl.h b/include/spdlog/pattern_formatter-inl.h
		14	index b53d8051..fd408ed5 100644
		15	--- a/include/spdlog/pattern_formatter-inl.h
		16	+++ b/include/spdlog/pattern_formatter-inl.h
		17	@@ -76,6 +76,9 @@ public:
		18	else if (padinfo_.truncate_)
		19	{
		20	long new_size = static_cast<long>(dest_.size()) + remaining_pad_;
		21	+ if (new_size < 0) {
		22	+ new_size = 0;
		23	+ }
		24	dest_.resize(static_cast<size_t>(new_size));
		25	}
		26	}
		27	@@ -303,7 +306,7 @@ public:
		28
		29	void format(const details::log_msg &, const std::tm &tm_time, memory_buf_t &dest) override
		30	{
		31	- const size_t field_size = 10;
		32	+ const size_t field_size = 8;
		33	ScopedPadder p(field_size, padinfo_, dest);
		34
		35	fmt_helper::pad2(tm_time.tm_mon + 1, dest);


diff --git a/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb b/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb index 6362fc7a4b..4110ba8a11 100644 --- a/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb +++ b/meta-oe/recipes-support/spdlog/spdlog_1.9.2.bb
@@ -5,7 +5,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/MIT;md5=0835ad
5		5
6	SRCREV = "eb3220622e73a4889eee355ffa37972b3cac3df5"	6	SRCREV = "eb3220622e73a4889eee355ffa37972b3cac3df5"
7	SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x; \	7	SRC_URI = "git://github.com/gabime/spdlog.git;protocol=https;branch=v1.x; \
8	file://0001-Enable-use-of-external-fmt-library.patch"	8	file://0001-Enable-use-of-external-fmt-library.patch \
		9	file://CVE-2025-6140.patch \
		10	"
9		11
10	DEPENDS += "fmt"	12	DEPENDS += "fmt"
11		13