diff options
| author | Hugo SIMELIERE <hsimeliere.opensource@witekio.com> | 2026-01-05 11:02:31 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-01-06 18:07:56 +0530 |
| commit | 925318887eaa907fb144e82dfd1bd9c3729dde03 (patch) | |
| tree | f6973ad3bef04b9e439ae8ea4f375df468322d18 /meta-oe | |
| parent | 9570160dae8066183f51f9257ca57fd3017039eb (diff) | |
| download | meta-openembedded-925318887eaa907fb144e82dfd1bd9c3729dde03.tar.gz | |
libwebsockets: fix CVE-2025-11678
Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit 5fab8bd31b32892acf3d8b56b240a7958890beac)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch | 128 | ||||
| -rw-r--r-- | meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb | 1 |
2 files changed, 129 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch new file mode 100644 index 0000000000..3489a7e6a1 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch | |||
| @@ -0,0 +1,128 @@ | |||
| 1 | From e1d4c32bf773b8cf01eb5e368a4a21679e0b670a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> | ||
| 3 | Date: Tue, 18 Nov 2025 17:03:33 +0100 | ||
| 4 | Subject: [PATCH] NN-2025-0103: ADNS crafted response overflow | ||
| 5 | |||
| 6 | This document contains sensitive information collected during our | ||
| 7 | security research activities related with the Libwebsockets library made | ||
| 8 | by Andy Green (warmcat). | ||
| 9 | |||
| 10 | +-------------------------------------------------------------------------------------------------------+ | ||
| 11 | | Report information | | ||
| 12 | +:===================================:+:===============================================================:+ | ||
| 13 | | Vendor | warmcat | | ||
| 14 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 15 | | Vendor URL | https://libwebsockets.org/git/libwebsockets | | ||
| 16 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 17 | | Affected component | Ecostruxure Automation Expert | | ||
| 18 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 19 | | Affected version | 4.4 | | ||
| 20 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 21 | | Vulnerability | CWE-121: Stack-based Buffer Overflow | | ||
| 22 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 23 | | Proposed CVSS v3.1 Base Score | 7.5 | | ||
| 24 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 25 | | Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | | ||
| 26 | +-------------------------------------+-----------------------------------------------------------------+ | ||
| 27 | |||
| 28 | +-----------------------------------------------------------------------------+ | ||
| 29 | | Security Researcher(s) | | ||
| 30 | +:===================================:+:=====================================:+ | ||
| 31 | | Name | **Email address** | | ||
| 32 | +-------------------------------------+---------------------------------------+ | ||
| 33 | | Raffaele Bova | labs-advisory@nozominetworks.com | | ||
| 34 | +-------------------------------------+---------------------------------------+ | ||
| 35 | |||
| 36 | **\** | ||
| 37 | |||
| 38 | Libwebsockes is a C library that provides client and server | ||
| 39 | implementation for various protocols (e.g., HTTP, websockets, MQTT) and | ||
| 40 | more. | ||
| 41 | |||
| 42 | Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" | ||
| 43 | in the latest software version of libwebsockets, specifically in the | ||
| 44 | async-dns component. | ||
| 45 | |||
| 46 | The vulnerability allows an attacker that can inspect DNS requests made | ||
| 47 | by the victim (e.g. being in the same wireless network) to forge a DNS | ||
| 48 | response packet that overflows the stack and may lead to arbitrary code | ||
| 49 | execution (depending on the platform and compiler options). | ||
| 50 | |||
| 51 | The issue resides in `lws_adns_parse_label` function in | ||
| 52 | `lib/system/async-dns/async-dns-parse.c`; this function iteratively parses | ||
| 53 | a label however it does not correctly check the number of bytes written | ||
| 54 | in the destination buffer. | ||
| 55 | |||
| 56 | Specifically, the size of the dest output buffer is specified in the `dl` | ||
| 57 | argument, however during the read of each substring of the label only | ||
| 58 | the length of the current substring of the label is accounted for not | ||
| 59 | overflowing the destination buffer, but previous reads are not accounted | ||
| 60 | for. | ||
| 61 | |||
| 62 | This means that a label of arbitrary size and content can be supplied | ||
| 63 | and is copied onto the stack, however it must be split into substrings | ||
| 64 | of size less than `dl`. | ||
| 65 | |||
| 66 | To trigger the vulnerability an attacker must be able to sniff the DNS | ||
| 67 | request packet to send a response with a matching identifier, otherwise | ||
| 68 | the implantation correctly ignores the response. | ||
| 69 | |||
| 70 | We have provided a harness for testing, for ease of use copy the harness | ||
| 71 | in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, | ||
| 72 | and build it | ||
| 73 | |||
| 74 | ``` | ||
| 75 | cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 | ||
| 76 | -DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns | ||
| 77 | ``` | ||
| 78 | |||
| 79 | Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` | ||
| 80 | |||
| 81 |  | ||
| 82 | |||
| 83 | We suggest keeping track of the number of bytes currently written on the | ||
| 84 | dest buffer, this could be done by saving the original dest pointer, | ||
| 85 | decrementing dl on each substring memcpy, or using an auxiliary | ||
| 86 | variable. | ||
| 87 | |||
| 88 | CVE: CVE-2025-11678 | ||
| 89 | Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a] | ||
| 90 | |||
| 91 | Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> | ||
| 92 | --- | ||
| 93 | lib/system/async-dns/async-dns-parse.c | 5 +++-- | ||
| 94 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
| 95 | |||
| 96 | diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c | ||
| 97 | index bdfe2050..81743b3f 100644 | ||
| 98 | --- a/lib/system/async-dns/async-dns-parse.c | ||
| 99 | +++ b/lib/system/async-dns/async-dns-parse.c | ||
| 100 | @@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget, | ||
| 101 | const uint8_t *e = pkt + len, *ols = ls; | ||
| 102 | char pointer = 0, first = 1; | ||
| 103 | uint8_t ll; | ||
| 104 | - int n; | ||
| 105 | + int n, readsize = 0; | ||
| 106 | |||
| 107 | if (budget < 1) | ||
| 108 | return 0; | ||
| 109 | @@ -88,7 +88,7 @@ again1: | ||
| 110 | return -1; | ||
| 111 | } | ||
| 112 | |||
| 113 | - if ((unsigned int)ll + 2 > dl) { | ||
| 114 | + if ((unsigned int)(ll + 2 + readsize) > dl) { | ||
| 115 | lwsl_notice("%s: qname too large\n", __func__); | ||
| 116 | |||
| 117 | return -1; | ||
| 118 | @@ -101,6 +101,7 @@ again1: | ||
| 119 | (*dest)[ll + 1] = '\0'; | ||
| 120 | *dest += ll + 1; | ||
| 121 | ls += ll; | ||
| 122 | + readsize += ll + 1; | ||
| 123 | |||
| 124 | if (pointer) { | ||
| 125 | if (*ls) | ||
| 126 | -- | ||
| 127 | 2.43.0 | ||
| 128 | |||
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb index 0b74adf990..cd69281833 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb | |||
| @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3 | |||
| 11 | file://0001-sll_protocol-may-be-be16.patch \ | 11 | file://0001-sll_protocol-may-be-be16.patch \ |
| 12 | file://0002-allow-build-with-cmake-4.patch \ | 12 | file://0002-allow-build-with-cmake-4.patch \ |
| 13 | file://CVE-2025-11677.patch \ | 13 | file://CVE-2025-11677.patch \ |
| 14 | file://CVE-2025-11678.patch \ | ||
| 14 | " | 15 | " |
| 15 | 16 | ||
| 16 | UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" | 17 | UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" |
