summaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-connectivity
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2025-12-15 02:04:46 +0800
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2025-12-17 11:45:16 +0530
commit1fea09e692e92fe96ac78067c666d4e387751523 (patch)
tree85d9644316494065835e1975f57dcf6e11a57262 /meta-networking/recipes-connectivity
parentb4812b18eec77e9f0286bd6b81a5c3032ac0d3be (diff)
downloadmeta-openembedded-1fea09e692e92fe96ac78067c666d4e387751523.tar.gz
mbedtls: fix CVE-2025-47917
CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes a head argument and performs a deep free() on it. Backport patch to fix CVE-2025-47917 and drop the modification in doc file and comment in header file which lack of context. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking/recipes-connectivity')
-rw-r--r--meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch52
-rw-r--r--meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb1
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
new file mode 100644
index 0000000000..75c4829191
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch
@@ -0,0 +1,52 @@
1From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
3 <manuel.pegourie-gonnard@arm.com>
4Date: Mon, 5 May 2025 16:41:52 +0200
5Subject: [PATCH] Fix undocumented free() in x509_string_to_names()
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
11crashing with use-after-free, instead it's now failing cleanly:
12
13 failed
14 ! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
15
16That's better of course but still not great, will be fixed by future
17commits.
18
19Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
20
21CVE: CVE-2025-47917
22
23Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73]
24
25Backport patch to fix CVE-2025-47917 and drop the modification in doc
26file and comment in header file which lack of context.
27
28Signed-off-by: Kai Kang <kai.kang@windriver.com>
29---
30 library/x509_create.c | 8 ++++++--
31 1 files changed, 6 insertions(+), 2 deletions(-)
32 create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt
33
34diff --git a/library/x509_create.c b/library/x509_create.c
35index 839b5df226..420e36b81b 100644
36--- a/library/x509_create.c
37+++ b/library/x509_create.c
38@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
39 char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
40 char *d = data;
41
42- /* Clear existing chain if present */
43- mbedtls_asn1_free_named_data_list(head);
44+ /* Ensure the output parameter is not already populated.
45+ * (If it were, overwriting it would likely cause a memory leak.)
46+ */
47+ if (*head != NULL) {
48+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
49+ }
50
51 while (c <= end) {
52 if (in_tag && *c == '=') {
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
index 62e6c90f63..53462953ef 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
@@ -26,6 +26,7 @@ S = "${WORKDIR}/git"
26SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561" 26SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"
27SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \ 27SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \
28 file://run-ptest \ 28 file://run-ptest \
29 file://CVE-2025-47917.patch \
29 " 30 "
30 31
31inherit cmake update-alternatives ptest 32inherit cmake update-alternatives ptest