Wind River Support Network

HomeOther DownloadsWind River Hot Patch Notice: Hot fix for all Wind River Linux products
Recommended Type: Patch

Wind River Hot Patch Notice: Hot fix for all Wind River Linux products

Released: Jan 17, 2025     Updated: Jan 21, 2025

Description

Hot patches to fix the following rsync CVEs:

  • CVE-2024-12084 - Vulnerability #1 - Heap Buffer Overflow in Checksum Parsing
  • CVE-2024-12085 - Vulnerability #2 - Info Leak via uninitialized Stack contents defeats ASLR
  • CVE-2024-12086 - Vulnerability #3 - Server leaks arbitrary client files
  • CVE-2024-12087 - Vulnerability #4 - Server can make client write files outside of destination directory using symbolic links
  • CVE-2024-12088 - Vulnerability #5 - --safe-links Bypass
  • CVE-2024-12747 - Vulnerability #6 - Race condition

Hot patches

  • Wind River Linux LTS24 RCPL5: 6 patches for oe-core layer
  • Wind River Linux LTS23 RCPL15: 6 patches for oe-core layer
  • Wind River Linux LTS22 RCPL20: 8 patches for oe-core and 1 patch oe-core-dl-4.0.2 layer
  • Wind River Linux LTS21 RCPL25: 6 patches for oe-core layer
  • Wind River Linux LTS19 RCPL32: 4 patches for oe-core layer

Changelog

  • 01/17/2025: Initial

Product Version

Wind River Linux LTS 24, Wind River Linux LTS 23, Wind River Linux LTS 22, Wind River Linux LTS 21, Wind River Linux LTS 19

Downloads

Installation Notes

    • LTS24 RCPL5

    CVEs: CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
    $ cd layers/oe-core
    $ tar xzvf /path/to/oe-core-lts24-rcpl5.tar.gz
    $ git am oe-core-lts24-rcpl5/00*.patch
    $ rm -fr oe-core-lts24-rcpl5/

    • LTS23 RCPL15

    CVEs: CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
    $ cd layers/oe-core
    $ tar xzvf /path/to/oe-core-lts23-rcpl15.tar.gz
    $ git am oe-core-lts23-rcpl15/00*.patch
    $ rm -fr oe-core-lts23-rcpl15/


    • LTS22 RCPL20

    CVEs: CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
    $ cd layers/oe-core
    $ tar xzvf /path/to/oe-core-lts22-rcpl20.tar.gz
    $ git am oe-core-lts22-rcpl20/00*.patch
    $ rm -fr oe-core-lts22-rcpl20/
    $ cd ../oe-core-dl-4.0.2
    $ git am 0001-add-rsync-3.2.7.tar.gz-for-rsync-3.2.7.bb.patch
    $ rm -f 0001-add-rsync-3.2.7.tar.gz-for-rsync-3.2.7.bb.patch


    • LTS21 RCPL25

    CVEs: CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
    $ cd layers/oe-core
    $ tar xzvf /path/to/oe-core-lts21-rcpl25.tar.gz
    $ git am oe-core-lts21-rcpl25/00*.patch
    $ rm -fr oe-core-lts21-rcpl25/


    • LTS19 RCPL32

    CVEs: CVE-2024-12085 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747
    $ cd layers/oe-core
    $ tar xzvf /path/to/oe-core-lts19-rcpl32-rsync.tar.gz
    $ git am oe-core-lts19-rcpl32-rsync/00*.patch
    $ rm -fr oe-core-lts19-rcpl32-rsync/


    • Apply to a local product mirror

    Apply these patches to a local product mirror will work for all subsequent projects, then you don't have to apply them to every project.
    Use LTS24 as an example, other products are similar.
    $ cd /path/to/local-mirror/WRLinux-lts-24-Core/
    $ git clone --branch WRLINUX_10_24_LTS oe-core.git oe-core-clone
    $ cd oe-core-clone
    $ tar xzvf /path/to/oe-core-lts24-rcpl5.tar.gz
    $ git am oe-core-lts24-rcpl5/00*.patch
    $ git push
    $ cd ../; rm -fr oe-core-clone oe-core-lts24-rcpl5


    Live chat
    Online
    • Linkedin
    • Facebook
    • Twitter
    • Youtube