diff options
| author | Kai Kang <kai.kang@windriver.com> | 2025-12-15 02:04:46 +0800 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2025-12-17 11:45:16 +0530 |
| commit | 1fea09e692e92fe96ac78067c666d4e387751523 (patch) | |
| tree | 85d9644316494065835e1975f57dcf6e11a57262 /meta-networking/recipes-connectivity | |
| parent | b4812b18eec77e9f0286bd6b81a5c3032ac0d3be (diff) | |
| download | meta-openembedded-1fea09e692e92fe96ac78067c666d4e387751523.tar.gz | |
mbedtls: fix CVE-2025-47917
CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes
a head argument and performs a deep free() on it.
Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking/recipes-connectivity')
| -rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch | 52 | ||||
| -rw-r--r-- | meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch new file mode 100644 index 0000000000..75c4829191 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= | ||
| 3 | <manuel.pegourie-gonnard@arm.com> | ||
| 4 | Date: Mon, 5 May 2025 16:41:52 +0200 | ||
| 5 | Subject: [PATCH] Fix undocumented free() in x509_string_to_names() | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer | ||
| 11 | crashing with use-after-free, instead it's now failing cleanly: | ||
| 12 | |||
| 13 | failed | ||
| 14 | ! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid | ||
| 15 | |||
| 16 | That's better of course but still not great, will be fixed by future | ||
| 17 | commits. | ||
| 18 | |||
| 19 | Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> | ||
| 20 | |||
| 21 | CVE: CVE-2025-47917 | ||
| 22 | |||
| 23 | Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73] | ||
| 24 | |||
| 25 | Backport patch to fix CVE-2025-47917 and drop the modification in doc | ||
| 26 | file and comment in header file which lack of context. | ||
| 27 | |||
| 28 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
| 29 | --- | ||
| 30 | library/x509_create.c | 8 ++++++-- | ||
| 31 | 1 files changed, 6 insertions(+), 2 deletions(-) | ||
| 32 | create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt | ||
| 33 | |||
| 34 | diff --git a/library/x509_create.c b/library/x509_create.c | ||
| 35 | index 839b5df226..420e36b81b 100644 | ||
| 36 | --- a/library/x509_create.c | ||
| 37 | +++ b/library/x509_create.c | ||
| 38 | @@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam | ||
| 39 | char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; | ||
| 40 | char *d = data; | ||
| 41 | |||
| 42 | - /* Clear existing chain if present */ | ||
| 43 | - mbedtls_asn1_free_named_data_list(head); | ||
| 44 | + /* Ensure the output parameter is not already populated. | ||
| 45 | + * (If it were, overwriting it would likely cause a memory leak.) | ||
| 46 | + */ | ||
| 47 | + if (*head != NULL) { | ||
| 48 | + return MBEDTLS_ERR_X509_BAD_INPUT_DATA; | ||
| 49 | + } | ||
| 50 | |||
| 51 | while (c <= end) { | ||
| 52 | if (in_tag && *c == '=') { | ||
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb index 62e6c90f63..53462953ef 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb | |||
| @@ -26,6 +26,7 @@ S = "${WORKDIR}/git" | |||
| 26 | SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561" | 26 | SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561" |
| 27 | SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \ | 27 | SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \ |
| 28 | file://run-ptest \ | 28 | file://run-ptest \ |
| 29 | file://CVE-2025-47917.patch \ | ||
| 29 | " | 30 | " |
| 30 | 31 | ||
| 31 | inherit cmake update-alternatives ptest | 32 | inherit cmake update-alternatives ptest |
