2 files changed, 162 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch
new file mode 100644
index 0000000000..bf11a893f8
--- /dev/null
+++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch
@@ -0,0 +1,161 @@
+From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001
+From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Date: Tue, 18 Nov 2025 16:59:22 +0100
+Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library
+maintained by Andy Green (warmcat).
+-------------------------------------------------------------------------------------------------------+
+| Report information                                                                                    |
+:===================================:+:===============================================================:+
+| Vendor                              | warmcat                                                         |
+-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL                          | https://libwebsockets.org/git/libwebsockets                     |
+-------------------------------------+-----------------------------------------------------------------+
+| Affected component                  | libwebsockets                                                   |
+-------------------------------------+-----------------------------------------------------------------+
+| Affected version                    | 4.4                                                             |
+-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability                       | CWE-416: Use After Free                                         |
+-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score       | 6.0                                                             |
+-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector           | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
+-------------------------------------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
+| Security Researcher(s)                                                      |
+:===================================:+:=====================================:+
+| Name                                | **Email address**                     |
+-------------------------------------+---------------------------------------+
+| Raffaele Bova                       | labs-advisory@nozominetworks.com      |
+-------------------------------------+---------------------------------------+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
+software version of libwebsockets, specifically in the WebSocket server
+implementation.
+Depending on the use of the API, the vulnerability may allow an attacker
+to read or write data, that could cause a loss of integrity or
+availability.
+The issue is caused by the `lws_handshake_protocol` function, specifically
+when the upgrade header is not valid, the function calls
+`lws_http_transaction_completed`, which frees some of the data in the wsi
+structure, then it calls `user_callback_handle_rxflow` passing the up
+pointer and uses it on following strcasecmp calls.
+From our understanding, for this vulnerability to have a meaningful
+impact, a user that implements the Websocket server, must provide a user
+callback function which is going to handle
+`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
+operations on the up pointer.
+It is possible to compile the minimal websocket server using address
+sanitizer, to quickly verify the use after free.
+From our understanding of the code, if the upgrade header does not match
+the intended contents, then the code after the if statement when
+`lws_http_transaction_completed` is called, should not be executed, thus
+simply enclosing all that code in the else branch solves the issue.
+CVE: CVE-2025-11677
+Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a]
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/roles/http/server/server.c | 58 +++++++++++++++++-----------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c
+index 6b132a42..e6d714e3 100644
+--- a/lib/roles/http/server/server.c
+++ b/lib/roles/http/server/server.c
+@@ -2375,49 +2375,49 @@ raw_transition:
+                                                HTTP_STATUS_FORBIDDEN, NULL) ||
+                                    lws_http_transaction_completed(wsi))
+                                        goto bail_nuke_ah;
+-                       }
+-
+-                       n = user_callback_handle_rxflow(wsi->a.protocol->callback,
+-                                       wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
+-                                       wsi->user_space, (char *)up, 0);
+                       } else {
+                               n = user_callback_handle_rxflow(wsi->a.protocol->callback,
+                                               wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
+                                               wsi->user_space, (char *)up, 0);
+ 
+-                       /* just hang up? */
+                               /* just hang up? */
+ 
+-                       if (n < 0)
+-                               goto bail_nuke_ah;
+                               if (n < 0)
+                                       goto bail_nuke_ah;
+ 
+-                       /* callback returned headers already, do t_c? */
+                               /* callback returned headers already, do t_c? */
+ 
+-                       if (n > 0) {
+-                               if (lws_http_transaction_completed(wsi))
+                               if (n > 0) {
+                                   if (lws_http_transaction_completed(wsi))
+                                        goto bail_nuke_ah;
+ 
+-                               /* continue on */
+                                   /* continue on */
+ 
+-                               return 0;
+-                       }
+                                   return 0;
+                               }
+ 
+-                       /* callback said 0, it was allowed */
+                               /* callback said 0, it was allowed */
+ 
+-                       if (wsi->a.vhost->options &
+-                           LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
+-                           lws_confirm_host_header(wsi))
+-                               goto bail_nuke_ah;
+                               if (wsi->a.vhost->options &
+                                       LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
+                                       lws_confirm_host_header(wsi))
+                                   goto bail_nuke_ah;
+ 
+-                       if (!strcasecmp(up, "websocket")) {
+                               if (!strcasecmp(up, "websocket")) {
+ #if defined(LWS_ROLE_WS)
+-                               lws_metrics_tag_wsi_add(wsi, "upg", "ws");
+-                               lwsl_info("Upgrade to ws\n");
+-                               goto upgrade_ws;
+                                       lws_metrics_tag_wsi_add(wsi, "upg", "ws");
+                                       lwsl_info("Upgrade to ws\n");
+                                       goto upgrade_ws;
+ #endif
+-                       }
+                               }
+ #if defined(LWS_WITH_HTTP2)
+-                       if (!strcasecmp(up, "h2c")) {
+-                               lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
+-                               lwsl_info("Upgrade to h2c\n");
+-                               goto upgrade_h2c;
+-                       }
+                               if (!strcasecmp(up, "h2c")) {
+                                   lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
+                                   lwsl_info("Upgrade to h2c\n");
+                                   goto upgrade_h2c;
+                               }
+ #endif
+                       }
+                }
+ 
+                /* no upgrade ack... he remained as HTTP */
+-- 
+2.43.0
diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
index afe2124f65..0b74adf990 100644
--- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
+++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
@@ -10,6 +10,7 @@ SRCREV = "ab9df9cfc39de7a49967f18387b6b76310947442"
 SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \
           file://0001-sll_protocol-may-be-be16.patch \
           file://0002-allow-build-with-cmake-4.patch \
+           file://CVE-2025-11677.patch \
           "
 UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"

diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch new file mode 100644 index 0000000000..bf11a893f8 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch
@@ -0,0 +1,161 @@
		1	From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001
		2	From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
		3	Date: Tue, 18 Nov 2025 16:59:22 +0100
		4	Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed
		5
		6	This document contains sensitive information collected during our
		7	security research activities related with the Libwebsockets library
		8	maintained by Andy Green (warmcat).
		9
		10	+-------------------------------------------------------------------------------------------------------+
		11	\| Report information \|
		12	+:===================================:+:===============================================================:+
		13	\| Vendor \| warmcat \|
		14	+-------------------------------------+-----------------------------------------------------------------+
		15	\| Vendor URL \| https://libwebsockets.org/git/libwebsockets \|
		16	+-------------------------------------+-----------------------------------------------------------------+
		17	\| Affected component \| libwebsockets \|
		18	+-------------------------------------+-----------------------------------------------------------------+
		19	\| Affected version \| 4.4 \|
		20	+-------------------------------------+-----------------------------------------------------------------+
		21	\| Vulnerability \| CWE-416: Use After Free \|
		22	+-------------------------------------+-----------------------------------------------------------------+
		23	\| Proposed CVSS v3.1 Base Score \| 6.0 \|
		24	+-------------------------------------+-----------------------------------------------------------------+
		25	\| Proposed CVSS v3.1 Vector \| CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N \|
		26	+-------------------------------------+-----------------------------------------------------------------+
		27
		28	+-----------------------------------------------------------------------------+
		29	\| Security Researcher(s) \|
		30	+:===================================:+:=====================================:+
		31	\| Name \| Email address \|
		32	+-------------------------------------+---------------------------------------+
		33	\| Raffaele Bova \| labs-advisory@nozominetworks.com \|
		34	+-------------------------------------+---------------------------------------+
		35
		36	Libwebsockes is a C library that provides client and server
		37	implementation for various protocols (e.g., HTTP, websockets, MQTT) and
		38	more.
		39
		40	Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
		41	software version of libwebsockets, specifically in the WebSocket server
		42	implementation.
		43
		44	Depending on the use of the API, the vulnerability may allow an attacker
		45	to read or write data, that could cause a loss of integrity or
		46	availability.
		47
		48	The issue is caused by the `lws_handshake_protocol` function, specifically
		49	when the upgrade header is not valid, the function calls
		50	`lws_http_transaction_completed`, which frees some of the data in the wsi
		51	structure, then it calls `user_callback_handle_rxflow` passing the up
		52	pointer and uses it on following strcasecmp calls.
		53
		54	From our understanding, for this vulnerability to have a meaningful
		55	impact, a user that implements the Websocket server, must provide a user
		56	callback function which is going to handle
		57	`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
		58	operations on the up pointer.
		59
		60	It is possible to compile the minimal websocket server using address
		61	sanitizer, to quickly verify the use after free.
		62
		63	From our understanding of the code, if the upgrade header does not match
		64	the intended contents, then the code after the if statement when
		65	`lws_http_transaction_completed` is called, should not be executed, thus
		66	simply enclosing all that code in the else branch solves the issue.
		67
		68	CVE: CVE-2025-11677
		69	Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a]
		70
		71	Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
		72	---
		73	lib/roles/http/server/server.c \| 58 +++++++++++++++++-----------------
		74	1 file changed, 29 insertions(+), 29 deletions(-)
		75
		76	diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c
		77	index 6b132a42..e6d714e3 100644
		78	--- a/lib/roles/http/server/server.c
		79	+++ b/lib/roles/http/server/server.c
		80	@@ -2375,49 +2375,49 @@ raw_transition:
		81	HTTP_STATUS_FORBIDDEN, NULL) \|\|
		82	lws_http_transaction_completed(wsi))
		83	goto bail_nuke_ah;
		84	- }
		85	-
		86	- n = user_callback_handle_rxflow(wsi->a.protocol->callback,
		87	- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
		88	- wsi->user_space, (char *)up, 0);
		89	+ } else {
		90	+ n = user_callback_handle_rxflow(wsi->a.protocol->callback,
		91	+ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
		92	+ wsi->user_space, (char *)up, 0);
		93
		94	- /* just hang up? */
		95	+ /* just hang up? */
		96
		97	- if (n < 0)
		98	- goto bail_nuke_ah;
		99	+ if (n < 0)
		100	+ goto bail_nuke_ah;
		101
		102	- /* callback returned headers already, do t_c? */
		103	+ /* callback returned headers already, do t_c? */
		104
		105	- if (n > 0) {
		106	- if (lws_http_transaction_completed(wsi))
		107	+ if (n > 0) {
		108	+ if (lws_http_transaction_completed(wsi))
		109	goto bail_nuke_ah;
		110
		111	- /* continue on */
		112	+ /* continue on */
		113
		114	- return 0;
		115	- }
		116	+ return 0;
		117	+ }
		118
		119	- /* callback said 0, it was allowed */
		120	+ /* callback said 0, it was allowed */
		121
		122	- if (wsi->a.vhost->options &
		123	- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
		124	- lws_confirm_host_header(wsi))
		125	- goto bail_nuke_ah;
		126	+ if (wsi->a.vhost->options &
		127	+ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
		128	+ lws_confirm_host_header(wsi))
		129	+ goto bail_nuke_ah;
		130
		131	- if (!strcasecmp(up, "websocket")) {
		132	+ if (!strcasecmp(up, "websocket")) {
		133	#if defined(LWS_ROLE_WS)
		134	- lws_metrics_tag_wsi_add(wsi, "upg", "ws");
		135	- lwsl_info("Upgrade to ws\n");
		136	- goto upgrade_ws;
		137	+ lws_metrics_tag_wsi_add(wsi, "upg", "ws");
		138	+ lwsl_info("Upgrade to ws\n");
		139	+ goto upgrade_ws;
		140	#endif
		141	- }
		142	+ }
		143	#if defined(LWS_WITH_HTTP2)
		144	- if (!strcasecmp(up, "h2c")) {
		145	- lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
		146	- lwsl_info("Upgrade to h2c\n");
		147	- goto upgrade_h2c;
		148	- }
		149	+ if (!strcasecmp(up, "h2c")) {
		150	+ lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
		151	+ lwsl_info("Upgrade to h2c\n");
		152	+ goto upgrade_h2c;
		153	+ }
		154	#endif
		155	+ }
		156	}
		157
		158	/* no upgrade ack... he remained as HTTP */
		159	--
		160	2.43.0
		161


diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb index afe2124f65..0b74adf990 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.5.bb
@@ -10,6 +10,7 @@ SRCREV = "ab9df9cfc39de7a49967f18387b6b76310947442"
10	SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \	10	SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \
11	file://0001-sll_protocol-may-be-be16.patch \	11	file://0001-sll_protocol-may-be-be16.patch \
12	file://0002-allow-build-with-cmake-4.patch \	12	file://0002-allow-build-with-cmake-4.patch \
		13	file://CVE-2025-11677.patch \
13	"	14	"
14		15
15	UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"	16	UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"