mbedtls: fix CVE-2025-47917

CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes a head argument and performs a deep free() on it. Backport patch to fix CVE-2025-47917 and drop the modification in doc file and comment in header file which lack of context. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Kai Kang <kai.kang@windriver.com> 2025-12-16 10:57:44 +0800
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-16 08:39:06 +0100
commit: b1e0fadb72fd8b5d2ce3161becbe0062057cf5f4 (patch)
tree: 1450d48ba11f32c2d596dd41a8875d3494d00b78
parent: cdd9a07823b47a12943e6db0528790fe5eca2051 (diff)
download: meta-openembedded-b1e0fadb72fd8b5d2ce3161becbe0062057cf5f4.tar.gz
2 files changed, 55 insertions, 1 deletions
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
new file mode 100644
index 0000000000..75c4829191
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
@@ -0,0 +1,52 @@
+From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
+ <manuel.pegourie-gonnard@arm.com>
+Date: Mon, 5 May 2025 16:41:52 +0200
+Subject: [PATCH] Fix undocumented free() in x509_string_to_names()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
+crashing with use-after-free, instead it's now failing cleanly:
+ failed
+  !  mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
+That's better of course but still not great, will be fixed by future
+commits.
+Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
+CVE: CVE-2025-47917
+Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73]
+Backport patch to fix CVE-2025-47917 and drop the modification in doc
+file and comment in header file which lack of context.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ library/x509_create.c                          |  8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+ create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt
+diff --git a/library/x509_create.c b/library/x509_create.c
+index 839b5df226..420e36b81b 100644
+--- a/library/x509_create.c
+++ b/library/x509_create.c
+@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
+     char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+     char *d = data;
+ 
+-    /* Clear existing chain if present */
+-    mbedtls_asn1_free_named_data_list(head);
+    /* Ensure the output parameter is not already populated.
+     * (If it were, overwriting it would likely cause a memory leak.)
+     */
+    if (*head != NULL) {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+ 
+     while (c <= end) {
+         if (in_tag && *c == '=') {
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
index f62e93a930..a323607367 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
@@ -24,7 +24,9 @@ SECTION = "libs"
 S = "${WORKDIR}/git"
 SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"
-SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28"
+SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \
+           file://CVE-2025-47917.patch \
+           "
 inherit cmake update-alternatives
author	Kai Kang <kai.kang@windriver.com>	2025-12-16 10:57:44 +0800
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-16 08:39:06 +0100
commit	b1e0fadb72fd8b5d2ce3161becbe0062057cf5f4 (patch)
tree	1450d48ba11f32c2d596dd41a8875d3494d00b78
parent	cdd9a07823b47a12943e6db0528790fe5eca2051 (diff)
download	meta-openembedded-b1e0fadb72fd8b5d2ce3161becbe0062057cf5f4.tar.gz

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch new file mode 100644 index 0000000000..75c4829191 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
@@ -0,0 +1,52 @@
		1	From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
		3	<manuel.pegourie-gonnard@arm.com>
		4	Date: Mon, 5 May 2025 16:41:52 +0200
		5	Subject: [PATCH] Fix undocumented free() in x509_string_to_names()
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
		11	crashing with use-after-free, instead it's now failing cleanly:
		12
		13	failed
		14	! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
		15
		16	That's better of course but still not great, will be fixed by future
		17	commits.
		18
		19	Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
		20
		21	CVE: CVE-2025-47917
		22
		23	Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73]
		24
		25	Backport patch to fix CVE-2025-47917 and drop the modification in doc
		26	file and comment in header file which lack of context.
		27
		28	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		29	---
		30	library/x509_create.c \| 8 ++++++--
		31	1 files changed, 6 insertions(+), 2 deletions(-)
		32	create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt
		33
		34	diff --git a/library/x509_create.c b/library/x509_create.c
		35	index 839b5df226..420e36b81b 100644
		36	--- a/library/x509_create.c
		37	+++ b/library/x509_create.c
		38	@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data *head, const char nam
		39	char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
		40	char *d = data;
		41
		42	- /* Clear existing chain if present */
		43	- mbedtls_asn1_free_named_data_list(head);
		44	+ /* Ensure the output parameter is not already populated.
		45	+ * (If it were, overwriting it would likely cause a memory leak.)
		46	+ */
		47	+ if (*head != NULL) {
		48	+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
		49	+ }
		50
		51	while (c <= end) {
		52	if (in_tag && *c == '=') {


diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb index f62e93a930..a323607367 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
@@ -24,7 +24,9 @@ SECTION = "libs"
24		24
25	S = "${WORKDIR}/git"	25	S = "${WORKDIR}/git"
26	SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"	26	SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"
27	SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28"	27	SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \
		28	file://CVE-2025-47917.patch \
		29	"
28		30
29	inherit cmake update-alternatives	31	inherit cmake update-alternatives
30		32