[Buildroot] [PATCH 1/1] package/augeas: add upstream security fix

Arnout Vandecappelle arnout at rnout.be
Wed Apr 16 21:35:01 UTC 2025 

On 10/04/2025 22:18, Thomas Perale via buildroot wrote:
> Fixes the following security issue:
>
> - CVE-2025-2588: This vulnerability affects the function
>      re_case_expand of the file src/fa.c. The manipulation of the
>      argument re leads to null pointer dereference
>
> For more information, see:
>    - https://nvd.nist.gov/vuln/detail/CVE-2025-2588
>    - https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>

  Applied to 2025.02.x, 2024.11.x and 2024.02.x, thanks. But I guess you knew 
that already since you're the one who did it :-)

  Regards,
  Arnout

> ---
>   ...rror-was-set-yet-parse_regexp-failed.patch | 77 +++++++++++++++++++
>   package/augeas/augeas.mk                      |  2 +
>   2 files changed, 79 insertions(+)
>   create mode 100644 package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
>
> diff --git a/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch b/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
> new file mode 100644
> index 0000000000..0716211387
> --- /dev/null
> +++ b/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
> @@ -0,0 +1,77 @@
> +From af2aa88ab37fc48167d8c5e43b1770a4ba2ff403 Mon Sep 17 00:00:00 2001
> +From: Alexander Bokovoy <abbra at users.noreply.github.com>
> +Date: Sun, 30 Mar 2025 12:27:04 +0300
> +Subject: [PATCH] CVE-2025-2588: return _REG_ENOSYS if no specific error was
> + set yet parse_regexp failed (#854)
> +
> +parse_regexp() supposed to set an error on the parser state in case of a
> +failure. If no specific error was set, return _REG_ENOSYS to indicate a
> +generic failure.
> +
> +Fixes: https://github.com/hercules-team/augeas/issues/671
> +Fixes: https://github.com/hercules-team/augeas/issues/778
> +Fixes: https://github.com/hercules-team/augeas/issues/852
> +
> +Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
> +
> +Upstream: https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403
> +CVE: CVE-2025-2588
> +Signed-off-by: Thomas Perale <thomas.perale at mind.be>
> +
> +---
> + src/fa.c       | 2 ++
> + src/fa.h       | 3 ++-
> + tests/fatest.c | 6 ++++++
> + 3 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/fa.c b/src/fa.c
> +index 66ac70784..4de5675b9 100644
> +--- a/src/fa.c
> ++++ b/src/fa.c
> +@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
> +     return re;
> +
> +  error:
> ++    if (re == NULL && parse->error == REG_NOERROR)
> ++        parse->error = _REG_ENOSYS;
> +     re_unref(re);
> +     return NULL;
> + }
> +diff --git a/src/fa.h b/src/fa.h
> +index 1fd754ad0..89c9b17e9 100644
> +--- a/src/fa.h
> ++++ b/src/fa.h
> +@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
> +  *
> +  * On success, FA points to the newly allocated automaton constructed for
> +  * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
> +- * return value indicates the error.
> ++ * return value indicates the error. Special value _REG_ENOSYS indicates
> ++ * fa_compile() couldn't identify the syntax issue with regexp.
> +  *
> +  * The FA is case sensitive. Call FA_NOCASE to switch it to
> +  * case-insensitive.
> +diff --git a/tests/fatest.c b/tests/fatest.c
> +index 0c9ca7696..6717af8f4 100644
> +--- a/tests/fatest.c
> ++++ b/tests/fatest.c
> +@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
> +     const char *p1 = "aB";
> +     const char *p2 = "[a-cUV]";
> +     const char *p3 = "[^a-z]";
> ++    const char *wrong_regexp = "{&.{";
> +     char *s;
> +     size_t len;
> +     int r;
> +@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
> +     CuAssertIntEquals(tc, 0, r);
> +     CuAssertStrEquals(tc, "[^A-Za-z]", s);
> +     free(s);
> ++
> ++    /* Test that fa_expand_nocase does return _REG_ENOSYS */
> ++    r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
> ++    CuAssertIntEquals(tc, _REG_ENOSYS, r);
> ++    free(s);
> + }
> +
> + static void testNoCaseComplement(CuTest *tc) {
> diff --git a/package/augeas/augeas.mk b/package/augeas/augeas.mk
> index ac4bc7d0be..88e96a91bc 100644
> --- a/package/augeas/augeas.mk
> +++ b/package/augeas/augeas.mk
> @@ -14,6 +14,8 @@ AUGEAS_DEPENDENCIES = host-pkgconf readline libxml2
>   
>   AUGEAS_CONF_OPTS = --disable-gnulib-tests
>   
> +AUGEAS_IGNORE_CVES += CVE-2025-2588
> +
>   # Remove the test lenses which occupy about 1.4 MB on the target
>   define AUGEAS_REMOVE_TEST_LENSES
>   	rm -rf $(TARGET_DIR)/usr/share/augeas/lenses/dist/tests

More information about the buildroot mailing list