3 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch
new file mode 100644
index 0000000000..0d55512497
--- /dev/null
+++ b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch
@@ -0,0 +1,91 @@
+From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001
+From: Zephkeks <zephyrofficialdiscord@gmail.com>
+Date: Tue, 13 May 2025 11:04:17 +0200
+Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
+ get_name()
+Coordinated as GHSA-pfwf-h6m3-63wf
+CVE: CVE-2025-46836
+Upstream-Status: Backport [https://sourceforge.net/p/net-tools/code/ci/7a8f42fb20013a1493d8cae1c43436f85e656f2d/]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/interface.c | 63 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 39 insertions(+), 24 deletions(-)
+diff --git a/lib/interface.c b/lib/interface.c
+index 71d4163..a054f12 100644
+--- a/lib/interface.c
+++ b/lib/interface.c
+@@ -211,32 +211,47 @@ out:
+ }
+ 
+ static const char *get_name(char *name, const char *p)
+/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
+   and the destination buffer is always NUL‑terminated.             */
+ {
+-    while (isspace(*p))
+-       p++;
+-    while (*p) {
+-       if (isspace(*p))
+-           break;
+-       if (*p == ':') {        /* could be an alias */
+-               const char *dot = p++;
+-               while (*p && isdigit(*p)) p++;
+-               if (*p == ':') {
+-                       /* Yes it is, backup and copy it. */
+-                       p = dot;
+-                       *name++ = *p++;
+-                       while (*p && isdigit(*p)) {
+-                               *name++ = *p++;
+-                       }
+-               } else {
+-                       /* No, it isn't */
+-                       p = dot;
+-           }
+-           p++;
+-           break;
+-       }
+-       *name++ = *p++;
+    char       *dst = name;                 /* current write ptr          */
+    const char *end = name + IFNAMSIZ - 1;  /* last byte we may write     */
+
+    /* Skip leading white‑space. */
+    while (isspace((unsigned char)*p))
+        ++p;
+
+    /* Copy until white‑space, end of string, or buffer full. */
+    while (*p && !isspace((unsigned char)*p) && dst < end) {
+        if (*p == ':') {                    /* possible alias veth0:123:  */
+            const char *dot = p;            /* remember the colon         */
+            ++p;
+            while (*p && isdigit((unsigned char)*p))
+                ++p;
+
+            if (*p == ':') {                /* confirmed alias            */
+                p = dot;                    /* rewind and copy it all     */
+
+                /* copy the colon */
+                if (dst < end)
+                    *dst++ = *p++;
+
+                /* copy the digits */
+                while (*p && isdigit((unsigned char)*p) && dst < end)
+                    *dst++ = *p++;
+
+                if (*p == ':')              /* consume trailing colon     */
+                    ++p;
+            } else {              /* if so treat as normal */
+                p = dot;
+            }
+            break;                          /* interface name ends here   */
+        }
+
+        *dst++ = *p++;                      /* ordinary character copy    */
+     }
+-    *name++ = '\0';
+
+    *dst = '\0';                            /* always NUL‑terminate       */
+     return p;
+ }
+ 
diff --git a/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch
new file mode 100644
index 0000000000..d2c3673a24
--- /dev/null
+++ b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch
@@ -0,0 +1,31 @@
+From ddb0e375fb9ca95bb69335540b85bbdaa2714348 Mon Sep 17 00:00:00 2001
+From: Bernd Eckenfels <net-tools@lina.inka.de>
+Date: Sat, 17 May 2025 21:53:23 +0200
+Subject: [PATCH] Interface statistic regression after 7a8f42fb2
+CVE: CVE-2025-46836
+Upstream-Status: Backport [https://sourceforge.net/p/net-tools/code/ci/ddb0e375fb9ca95bb69335540b85bbdaa2714348/]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/interface.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+diff --git a/lib/interface.c b/lib/interface.c
+index a054f12..ca4adf1 100644
+--- a/lib/interface.c
+++ b/lib/interface.c
+@@ -239,12 +239,11 @@ static const char *get_name(char *name, const char *p)
+                 /* copy the digits */
+                 while (*p && isdigit((unsigned char)*p) && dst < end)
+                     *dst++ = *p++;
+-
+-                if (*p == ':')              /* consume trailing colon     */
+-                    ++p;
+             } else {              /* if so treat as normal */
+                 p = dot;
+             }
+            if (*p == ':')                  /* consume trailing colon */
+                ++p;
+             break;                          /* interface name ends here   */
+         }
+ 
diff --git a/meta/recipes-extended/net-tools/net-tools_2.10.bb b/meta/recipes-extended/net-tools/net-tools_2.10.bb
index 7facc0cc8d..547079f4cf 100644
--- a/meta/recipes-extended/net-tools/net-tools_2.10.bb
+++ b/meta/recipes-extended/net-tools/net-tools_2.10.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://git.code.sf.net/p/net-tools/code;protocol=https;branch=master \
    file://net-tools-config.h \
    file://net-tools-config.make \
    file://Add_missing_headers.patch \
+    file://CVE-2025-46836-01.patch \
+    file://CVE-2025-46836-02.patch \
 "
 S = "${WORKDIR}/git"

diff --git a/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch new file mode 100644 index 0000000000..0d55512497 --- /dev/null +++ b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-01.patch
@@ -0,0 +1,91 @@
		1	From 7a8f42fb20013a1493d8cae1c43436f85e656f2d Mon Sep 17 00:00:00 2001
		2	From: Zephkeks <zephyrofficialdiscord@gmail.com>
		3	Date: Tue, 13 May 2025 11:04:17 +0200
		4	Subject: [PATCH] CVE-2025-46836: interface.c: Stack-based Buffer Overflow in
		5	get_name()
		6
		7	Coordinated as GHSA-pfwf-h6m3-63wf
		8
		9	CVE: CVE-2025-46836
		10	Upstream-Status: Backport [https://sourceforge.net/p/net-tools/code/ci/7a8f42fb20013a1493d8cae1c43436f85e656f2d/]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	lib/interface.c \| 63 ++++++++++++++++++++++++++++++-------------------
		14	1 file changed, 39 insertions(+), 24 deletions(-)
		15
		16	diff --git a/lib/interface.c b/lib/interface.c
		17	index 71d4163..a054f12 100644
		18	--- a/lib/interface.c
		19	+++ b/lib/interface.c
		20	@@ -211,32 +211,47 @@ out:
		21	}
		22
		23	static const char get_name(char name, const char *p)
		24	+/* Safe version — guarantees at most IFNAMSIZ‑1 bytes are copied
		25	+ and the destination buffer is always NUL‑terminated. */
		26	{
		27	- while (isspace(*p))
		28	- p++;
		29	- while (*p) {
		30	- if (isspace(*p))
		31	- break;
		32	- if (p == ':') { / could be an alias */
		33	- const char *dot = p++;
		34	- while (p && isdigit(p)) p++;
		35	- if (*p == ':') {
		36	- /* Yes it is, backup and copy it. */
		37	- p = dot;
		38	- name++ = p++;
		39	- while (p && isdigit(p)) {
		40	- name++ = p++;
		41	- }
		42	- } else {
		43	- /* No, it isn't */
		44	- p = dot;
		45	- }
		46	- p++;
		47	- break;
		48	- }
		49	- name++ = p++;
		50	+ char dst = name; / current write ptr */
		51	+ const char end = name + IFNAMSIZ - 1; / last byte we may write */
		52	+
		53	+ /* Skip leading white‑space. */
		54	+ while (isspace((unsigned char)*p))
		55	+ ++p;
		56	+
		57	+ /* Copy until white‑space, end of string, or buffer full. */
		58	+ while (p && !isspace((unsigned char)p) && dst < end) {
		59	+ if (p == ':') { / possible alias veth0:123: */
		60	+ const char dot = p; / remember the colon */
		61	+ ++p;
		62	+ while (p && isdigit((unsigned char)p))
		63	+ ++p;
		64	+
		65	+ if (p == ':') { / confirmed alias */
		66	+ p = dot; /* rewind and copy it all */
		67	+
		68	+ /* copy the colon */
		69	+ if (dst < end)
		70	+ dst++ = p++;
		71	+
		72	+ /* copy the digits */
		73	+ while (p && isdigit((unsigned char)p) && dst < end)
		74	+ dst++ = p++;
		75	+
		76	+ if (p == ':') / consume trailing colon */
		77	+ ++p;
		78	+ } else { /* if so treat as normal */
		79	+ p = dot;
		80	+ }
		81	+ break; /* interface name ends here */
		82	+ }
		83	+
		84	+ dst++ = p++; /* ordinary character copy */
		85	}
		86	- *name++ = '\0';
		87	+
		88	+ dst = '\0'; / always NUL‑terminate */
		89	return p;
		90	}
		91


diff --git a/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch new file mode 100644 index 0000000000..d2c3673a24 --- /dev/null +++ b/meta/recipes-extended/net-tools/net-tools/CVE-2025-46836-02.patch
@@ -0,0 +1,31 @@
		1	From ddb0e375fb9ca95bb69335540b85bbdaa2714348 Mon Sep 17 00:00:00 2001
		2	From: Bernd Eckenfels <net-tools@lina.inka.de>
		3	Date: Sat, 17 May 2025 21:53:23 +0200
		4	Subject: [PATCH] Interface statistic regression after 7a8f42fb2
		5
		6	CVE: CVE-2025-46836
		7	Upstream-Status: Backport [https://sourceforge.net/p/net-tools/code/ci/ddb0e375fb9ca95bb69335540b85bbdaa2714348/]
		8	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		9	---
		10	lib/interface.c \| 5 ++---
		11	1 file changed, 2 insertions(+), 3 deletions(-)
		12
		13	diff --git a/lib/interface.c b/lib/interface.c
		14	index a054f12..ca4adf1 100644
		15	--- a/lib/interface.c
		16	+++ b/lib/interface.c
		17	@@ -239,12 +239,11 @@ static const char get_name(char name, const char *p)
		18	/* copy the digits */
		19	while (p && isdigit((unsigned char)p) && dst < end)
		20	dst++ = p++;
		21	-
		22	- if (p == ':') / consume trailing colon */
		23	- ++p;
		24	} else { /* if so treat as normal */
		25	p = dot;
		26	}
		27	+ if (p == ':') / consume trailing colon */
		28	+ ++p;
		29	break; /* interface name ends here */
		30	}
		31


diff --git a/meta/recipes-extended/net-tools/net-tools_2.10.bb b/meta/recipes-extended/net-tools/net-tools_2.10.bb index 7facc0cc8d..547079f4cf 100644 --- a/meta/recipes-extended/net-tools/net-tools_2.10.bb +++ b/meta/recipes-extended/net-tools/net-tools_2.10.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://git.code.sf.net/p/net-tools/code;protocol=https;branch=master \
11	file://net-tools-config.h \	11	file://net-tools-config.h \
12	file://net-tools-config.make \	12	file://net-tools-config.make \
13	file://Add_missing_headers.patch \	13	file://Add_missing_headers.patch \
		14	file://CVE-2025-46836-01.patch \
		15	file://CVE-2025-46836-02.patch \
14	"	16	"
15		17
16	S = "${WORKDIR}/git"	18	S = "${WORKDIR}/git"