mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-01-12 03:24:08 +00:00
Code Issues Projects Releases Wiki Activity

mbedtls: fix CVE-2025-47917

Browse Source 
CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes
a head argument and performs a deep free() on it.

Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Kai Kang
2025-12-15 02:04:46 +08:00
committed by Anuj Mittal
parent b4812b18ee
commit 1fea09e692
2 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch Normal file
View File

@@ -0,0 +1,52 @@
From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
<manuel.pegourie-gonnard@arm.com>
Date: Mon, 5 May 2025 16:41:52 +0200
Subject: [PATCH] Fix undocumented free() in x509_string_to_names()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
crashing with use-after-free, instead it's now failing cleanly:
failed
! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
That's better of course but still not great, will be fixed by future
commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
CVE: CVE-2025-47917
Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73]
Backport patch to fix CVE-2025-47917 and drop the modification in doc
file and comment in header file which lack of context.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
library/x509_create.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt
diff --git a/library/x509_create.c b/library/x509_create.c
index 839b5df226..420e36b81b 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
char *d = data;
- /* Clear existing chain if present */
- mbedtls_asn1_free_named_data_list(head);
+ /* Ensure the output parameter is not already populated.
+ * (If it were, overwriting it would likely cause a memory leak.)
+ */
+ if (*head != NULL) {
+ return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+ }
while (c <= end) {
if (in_tag && *c == '=') {

1
meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb
View File

@@ -26,6 +26,7 @@ S = "${WORKDIR}/git"
SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561"
SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \
file://run-ptest \
file://CVE-2025-47917.patch \
"
inherit cmake update-alternatives ptest