summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorHugo SIMELIERE <hsimeliere.opensource@witekio.com>2026-01-05 11:02:31 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-01-06 18:07:56 +0530
commit925318887eaa907fb144e82dfd1bd9c3729dde03 (patch)
treef6973ad3bef04b9e439ae8ea4f375df468322d18 /meta-oe
parent9570160dae8066183f51f9257ca57fd3017039eb (diff)
downloadmeta-openembedded-925318887eaa907fb144e82dfd1bd9c3729dde03.tar.gz
libwebsockets: fix CVE-2025-11678
Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit 5fab8bd31b32892acf3d8b56b240a7958890beac) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch128
-rw-r--r--meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb1
2 files changed, 129 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch
new file mode 100644
index 0000000000..3489a7e6a1
--- /dev/null
+++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch
@@ -0,0 +1,128 @@
1From e1d4c32bf773b8cf01eb5e368a4a21679e0b670a Mon Sep 17 00:00:00 2001
2From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
3Date: Tue, 18 Nov 2025 17:03:33 +0100
4Subject: [PATCH] NN-2025-0103: ADNS crafted response overflow
5
6This document contains sensitive information collected during our
7security research activities related with the Libwebsockets library made
8by Andy Green (warmcat).
9
10+-------------------------------------------------------------------------------------------------------+
11| Report information |
12+:===================================:+:===============================================================:+
13| Vendor | warmcat |
14+-------------------------------------+-----------------------------------------------------------------+
15| Vendor URL | https://libwebsockets.org/git/libwebsockets |
16+-------------------------------------+-----------------------------------------------------------------+
17| Affected component | Ecostruxure Automation Expert |
18+-------------------------------------+-----------------------------------------------------------------+
19| Affected version | 4.4 |
20+-------------------------------------+-----------------------------------------------------------------+
21| Vulnerability | CWE-121: Stack-based Buffer Overflow |
22+-------------------------------------+-----------------------------------------------------------------+
23| Proposed CVSS v3.1 Base Score | 7.5 |
24+-------------------------------------+-----------------------------------------------------------------+
25| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
26+-------------------------------------+-----------------------------------------------------------------+
27
28+-----------------------------------------------------------------------------+
29| Security Researcher(s) |
30+:===================================:+:=====================================:+
31| Name | **Email address** |
32+-------------------------------------+---------------------------------------+
33| Raffaele Bova | labs-advisory@nozominetworks.com |
34+-------------------------------------+---------------------------------------+
35
36**\**
37
38Libwebsockes is a C library that provides client and server
39implementation for various protocols (e.g., HTTP, websockets, MQTT) and
40more.
41
42Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow"
43in the latest software version of libwebsockets, specifically in the
44async-dns component.
45
46The vulnerability allows an attacker that can inspect DNS requests made
47by the victim (e.g. being in the same wireless network) to forge a DNS
48response packet that overflows the stack and may lead to arbitrary code
49execution (depending on the platform and compiler options).
50
51The issue resides in `lws_adns_parse_label` function in
52`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses
53a label however it does not correctly check the number of bytes written
54in the destination buffer.
55
56Specifically, the size of the dest output buffer is specified in the `dl`
57argument, however during the read of each substring of the label only
58the length of the current substring of the label is accounted for not
59overflowing the destination buffer, but previous reads are not accounted
60for.
61
62This means that a label of arbitrary size and content can be supplied
63and is copied onto the stack, however it must be split into substrings
64of size less than `dl`.
65
66To trigger the vulnerability an attacker must be able to sniff the DNS
67request packet to send a response with a matching identifier, otherwise
68the implantation correctly ignores the response.
69
70We have provided a harness for testing, for ease of use copy the harness
71in a subdirectory, for example in minimal-examples-lowlevel/api-tests/,
72and build it
73
74```
75cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0
76-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns
77```
78
79Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof`
80
81![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png)
82
83We suggest keeping track of the number of bytes currently written on the
84dest buffer, this could be done by saving the original dest pointer,
85decrementing dl on each substring memcpy, or using an auxiliary
86variable.
87
88CVE: CVE-2025-11678
89Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a]
90
91Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
92---
93 lib/system/async-dns/async-dns-parse.c | 5 +++--
94 1 file changed, 3 insertions(+), 2 deletions(-)
95
96diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c
97index bdfe2050..81743b3f 100644
98--- a/lib/system/async-dns/async-dns-parse.c
99+++ b/lib/system/async-dns/async-dns-parse.c
100@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget,
101 const uint8_t *e = pkt + len, *ols = ls;
102 char pointer = 0, first = 1;
103 uint8_t ll;
104- int n;
105+ int n, readsize = 0;
106
107 if (budget < 1)
108 return 0;
109@@ -88,7 +88,7 @@ again1:
110 return -1;
111 }
112
113- if ((unsigned int)ll + 2 > dl) {
114+ if ((unsigned int)(ll + 2 + readsize) > dl) {
115 lwsl_notice("%s: qname too large\n", __func__);
116
117 return -1;
118@@ -101,6 +101,7 @@ again1:
119 (*dest)[ll + 1] = '\0';
120 *dest += ll + 1;
121 ls += ll;
122+ readsize += ll + 1;
123
124 if (pointer) {
125 if (*ls)
126--
1272.43.0
128
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
index 0b74adf990..cd69281833 100644
--- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
+++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3
11 file://0001-sll_protocol-may-be-be16.patch \ 11 file://0001-sll_protocol-may-be-be16.patch \
12 file://0002-allow-build-with-cmake-4.patch \ 12 file://0002-allow-build-with-cmake-4.patch \
13 file://CVE-2025-11677.patch \ 13 file://CVE-2025-11677.patch \
14 file://CVE-2025-11678.patch \
14 " 15 "
15 16
16UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" 17UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"