[Buildroot] [git commit branch/2024.02.x] package/augeas: add upstream security fix for CVE-2025-2588

Thomas Perale thomas.perale at mind.be
Wed Apr 16 08:52:15 UTC 2025 

commit: https://git.buildroot.net/buildroot/commit/?id=9ea9fd72c28e3275e95adb1fc9da756023d7ff92
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2024.02.x

Fixes the following security issue:

- CVE-2025-2588: This vulnerability affects the function
    re_case_expand of the file src/fa.c. The manipulation of the
    argument re leads to null pointer dereference

For more information, see:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-2588
  - https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403

Signed-off-by: Thomas Perale <thomas.perale at mind.be>
[Julien: add patch name in comment near _IGNORE_CVES]
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit c497e5fcc7b5d6b0877ba0dc557c604dcd194260)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 ...fic-error-was-set-yet-parse_regexp-failed.patch | 77 ++++++++++++++++++++++
 package/augeas/augeas.mk                           |  3 +
 2 files changed, 80 insertions(+)

diff --git a/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch b/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
new file mode 100644
index 0000000000..0716211387
--- /dev/null
+++ b/package/augeas/0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
@@ -0,0 +1,77 @@
+From af2aa88ab37fc48167d8c5e43b1770a4ba2ff403 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abbra at users.noreply.github.com>
+Date: Sun, 30 Mar 2025 12:27:04 +0300
+Subject: [PATCH] CVE-2025-2588: return _REG_ENOSYS if no specific error was
+ set yet parse_regexp failed (#854)
+
+parse_regexp() supposed to set an error on the parser state in case of a
+failure. If no specific error was set, return _REG_ENOSYS to indicate a
+generic failure.
+
+Fixes: https://github.com/hercules-team/augeas/issues/671
+Fixes: https://github.com/hercules-team/augeas/issues/778
+Fixes: https://github.com/hercules-team/augeas/issues/852
+
+Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
+
+Upstream: https://github.com/hercules-team/augeas/commit/af2aa88ab37fc48167d8c5e43b1770a4ba2ff403
+CVE: CVE-2025-2588
+Signed-off-by: Thomas Perale <thomas.perale at mind.be>
+
+---
+ src/fa.c       | 2 ++
+ src/fa.h       | 3 ++-
+ tests/fatest.c | 6 ++++++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/fa.c b/src/fa.c
+index 66ac70784..4de5675b9 100644
+--- a/src/fa.c
++++ b/src/fa.c
+@@ -3550,6 +3550,8 @@ static struct re *parse_regexp(struct re_parse *parse) {
+     return re;
+ 
+  error:
++    if (re == NULL && parse->error == REG_NOERROR)
++        parse->error = _REG_ENOSYS;
+     re_unref(re);
+     return NULL;
+ }
+diff --git a/src/fa.h b/src/fa.h
+index 1fd754ad0..89c9b17e9 100644
+--- a/src/fa.h
++++ b/src/fa.h
+@@ -81,7 +81,8 @@ extern int fa_minimization_algorithm;
+  *
+  * On success, FA points to the newly allocated automaton constructed for
+  * RE, and the function returns REG_NOERROR. Otherwise, FA is NULL, and the
+- * return value indicates the error.
++ * return value indicates the error. Special value _REG_ENOSYS indicates
++ * fa_compile() couldn't identify the syntax issue with regexp.
+  *
+  * The FA is case sensitive. Call FA_NOCASE to switch it to
+  * case-insensitive.
+diff --git a/tests/fatest.c b/tests/fatest.c
+index 0c9ca7696..6717af8f4 100644
+--- a/tests/fatest.c
++++ b/tests/fatest.c
+@@ -589,6 +589,7 @@ static void testExpandNoCase(CuTest *tc) {
+     const char *p1 = "aB";
+     const char *p2 = "[a-cUV]";
+     const char *p3 = "[^a-z]";
++    const char *wrong_regexp = "{&.{";
+     char *s;
+     size_t len;
+     int r;
+@@ -607,6 +608,11 @@ static void testExpandNoCase(CuTest *tc) {
+     CuAssertIntEquals(tc, 0, r);
+     CuAssertStrEquals(tc, "[^A-Za-z]", s);
+     free(s);
++
++    /* Test that fa_expand_nocase does return _REG_ENOSYS */
++    r = fa_expand_nocase(wrong_regexp, strlen(wrong_regexp), &s, &len);
++    CuAssertIntEquals(tc, _REG_ENOSYS, r);
++    free(s);
+ }
+ 
+ static void testNoCaseComplement(CuTest *tc) {
diff --git a/package/augeas/augeas.mk b/package/augeas/augeas.mk
index a0bc294565..3c6e499311 100644
--- a/package/augeas/augeas.mk
+++ b/package/augeas/augeas.mk
@@ -14,6 +14,9 @@ AUGEAS_DEPENDENCIES = host-pkgconf readline libxml2
 
 AUGEAS_CONF_OPTS = --disable-gnulib-tests
 
+# 0001-CVE-2025-2588-return-_REG_ENOSYS-if-no-specific-error-was-set-yet-parse_regexp-failed.patch
+AUGEAS_IGNORE_CVES += CVE-2025-2588
+
 # Remove the test lenses which occupy about 1.4 MB on the target
 define AUGEAS_REMOVE_TEST_LENSES
 	rm -rf $(TARGET_DIR)/usr/share/augeas/lenses/dist/tests

More information about the buildroot mailing list