From ac184d5f50bcb213ebcd2da1cfa3a0c680066d53 Mon Sep 17 00:00:00 2001 From: Alex Kiernan Date: Sat, 14 Jun 2025 09:26:34 +0000 Subject: [PATCH] libcoap: Upgrade 4.3.4 -> 4.3.5 Drop backport of CVE-2024-0962. Change summary for version 4.3.5: * Support for wolfSSL TLS library. * Support for DTLS1.3 (using wolfSSL). * Support for Mbed TLS 3.6.0. * Support for EC-JPAKE (Mbed TLS) * TinyDTLS version update. * Support for RIOT using SOCK i/f. * Support for LwIP 2.2.0. * Support for LwIP using NO_SYS set to 0. * Support for (Posix based) Zephyr. * Support for QNX builds. * Support for ESP32 xtensa builds. * Updated Contiki-NG support. * Support for multi-thread safe libcoap usage. * Support for defining binary PSK for coap-client and coap-server. * Support for Connection-ID (CID) (Mbed TLS, wolfSSL and TinyDTLS). * Added new define types for defining PKI parameters. * Support for user definable ENGINE for OpenSSL. * Support for using noTLS and TinyDTLS with WebSockets. * Support for providing list of compilation #defines. * Support for proxy code running within lbcoap. * Cleaned up support for building .h files. * Additional scan-build and pre-commit checks in build tests. * Updated CI build tests to use latest action versions. * Fixes CVE-2023-35862. * Reported bugs fixed. * Documentation added and updated (Doxygen and man). License-Update: Updated years Signed-off-by: Alex Kiernan Signed-off-by: Khem Raj --- .../libcoap/libcoap/CVE-2024-0962.patch | 45 ------------------- .../{libcoap_4.3.4.bb => libcoap_4.3.5.bb} | 5 +-- 2 files changed, 2 insertions(+), 48 deletions(-) delete mode 100644 meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-0962.patch rename meta-networking/recipes-devtools/libcoap/{libcoap_4.3.4.bb => libcoap_4.3.5.bb} (92%) diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-0962.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-0962.patch deleted file mode 100644 index add52483b7..0000000000 --- a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-0962.patch +++ /dev/null @@ -1,45 +0,0 @@ -From bf6a303883bde40cf96b960c8574cddd89e71701 Mon Sep 17 00:00:00 2001 -From: Jon Shallow -Date: Thu, 25 Jan 2024 18:03:17 +0000 -Subject: [PATCH] coap_oscore.c: Fix parsing OSCORE configuration information - -A vulnerability was found in obgm libcoap 4.3.4. It has been rated as critical. -Affected by this issue is the function get_split_entry of the file src/coap_oscore.c of the component Configuration File Handler. -The manipulation leads to stack-based buffer overflow. - -CVE: CVE-2024-0962 - -Upstream-Status: Backport [https://github.com/obgm/libcoap/pull/1311] - -Signed-off-by: alperak ---- - src/coap_oscore.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/coap_oscore.c b/src/coap_oscore.c -index 83f785c92..e0fb22947 100644 ---- a/src/coap_oscore.c -+++ b/src/coap_oscore.c -@@ -1678,11 +1678,12 @@ get_split_entry(const char **start, - oscore_value_t *value) { - const char *begin = *start; - const char *end; -+ const char *kend; - const char *split; - size_t i; - - retry: -- end = memchr(begin, '\n', size); -+ kend = end = memchr(begin, '\n', size); - if (end == NULL) - return 0; - -@@ -1693,7 +1694,7 @@ get_split_entry(const char **start, - - if (begin[0] == '#' || (end - begin) == 0) { - /* Skip comment / blank line */ -- size -= end - begin + 1; -+ size -= kend - begin + 1; - begin = *start; - goto retry; - } diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5.bb similarity index 92% rename from meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb rename to meta-networking/recipes-devtools/libcoap/libcoap_4.3.5.bb index 604fec8072..9e88b1af46 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.5.bb @@ -5,13 +5,12 @@ RF range, memory, bandwith, or network packet sizes." HOMEPAGE = "https://libcoap.net/" LICENSE = "BSD-2-Clause & BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=1978dbc41673ab1c20e64b287c8317bc" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9aa68c0f6785376aa8ec7f4f1aa6ae3c" SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \ file://run-ptest \ - file://CVE-2024-0962.patch \ " -SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615" +SRCREV = "7cf7465b784baded4de183290c547d582becfd28" S = "${WORKDIR}/git"