mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
libwebsockets: fix CVE-2025-11677
Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
e656a5b181
commit
da04d7003e
@@ -0,0 +1,161 @@
|
|||||||
|
From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
|
||||||
|
Date: Tue, 18 Nov 2025 16:59:22 +0100
|
||||||
|
Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed
|
||||||
|
|
||||||
|
This document contains sensitive information collected during our
|
||||||
|
security research activities related with the Libwebsockets library
|
||||||
|
maintained by Andy Green (warmcat).
|
||||||
|
|
||||||
|
+-------------------------------------------------------------------------------------------------------+
|
||||||
|
| Report information |
|
||||||
|
+:===================================:+:===============================================================:+
|
||||||
|
| Vendor | warmcat |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Vendor URL | https://libwebsockets.org/git/libwebsockets |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Affected component | libwebsockets |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Affected version | 4.4 |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Vulnerability | CWE-416: Use After Free |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Proposed CVSS v3.1 Base Score | 6.0 |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
||||||
|
+-------------------------------------+-----------------------------------------------------------------+
|
||||||
|
|
||||||
|
+-----------------------------------------------------------------------------+
|
||||||
|
| Security Researcher(s) |
|
||||||
|
+:===================================:+:=====================================:+
|
||||||
|
| Name | **Email address** |
|
||||||
|
+-------------------------------------+---------------------------------------+
|
||||||
|
| Raffaele Bova | labs-advisory@nozominetworks.com |
|
||||||
|
+-------------------------------------+---------------------------------------+
|
||||||
|
|
||||||
|
Libwebsockes is a C library that provides client and server
|
||||||
|
implementation for various protocols (e.g., HTTP, websockets, MQTT) and
|
||||||
|
more.
|
||||||
|
|
||||||
|
Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
|
||||||
|
software version of libwebsockets, specifically in the WebSocket server
|
||||||
|
implementation.
|
||||||
|
|
||||||
|
Depending on the use of the API, the vulnerability may allow an attacker
|
||||||
|
to read or write data, that could cause a loss of integrity or
|
||||||
|
availability.
|
||||||
|
|
||||||
|
The issue is caused by the `lws_handshake_protocol` function, specifically
|
||||||
|
when the upgrade header is not valid, the function calls
|
||||||
|
`lws_http_transaction_completed`, which frees some of the data in the wsi
|
||||||
|
structure, then it calls `user_callback_handle_rxflow` passing the up
|
||||||
|
pointer and uses it on following strcasecmp calls.
|
||||||
|
|
||||||
|
From our understanding, for this vulnerability to have a meaningful
|
||||||
|
impact, a user that implements the Websocket server, must provide a user
|
||||||
|
callback function which is going to handle
|
||||||
|
`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
|
||||||
|
operations on the up pointer.
|
||||||
|
|
||||||
|
It is possible to compile the minimal websocket server using address
|
||||||
|
sanitizer, to quickly verify the use after free.
|
||||||
|
|
||||||
|
From our understanding of the code, if the upgrade header does not match
|
||||||
|
the intended contents, then the code after the if statement when
|
||||||
|
`lws_http_transaction_completed` is called, should not be executed, thus
|
||||||
|
simply enclosing all that code in the else branch solves the issue.
|
||||||
|
|
||||||
|
CVE: CVE-2025-11677
|
||||||
|
Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a]
|
||||||
|
|
||||||
|
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
|
||||||
|
---
|
||||||
|
lib/roles/http/server/server.c | 58 +++++++++++++++++-----------------
|
||||||
|
1 file changed, 29 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c
|
||||||
|
index 6b132a42..e6d714e3 100644
|
||||||
|
--- a/lib/roles/http/server/server.c
|
||||||
|
+++ b/lib/roles/http/server/server.c
|
||||||
|
@@ -2375,49 +2375,49 @@ raw_transition:
|
||||||
|
HTTP_STATUS_FORBIDDEN, NULL) ||
|
||||||
|
lws_http_transaction_completed(wsi))
|
||||||
|
goto bail_nuke_ah;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- n = user_callback_handle_rxflow(wsi->a.protocol->callback,
|
||||||
|
- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
|
||||||
|
- wsi->user_space, (char *)up, 0);
|
||||||
|
+ } else {
|
||||||
|
+ n = user_callback_handle_rxflow(wsi->a.protocol->callback,
|
||||||
|
+ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
|
||||||
|
+ wsi->user_space, (char *)up, 0);
|
||||||
|
|
||||||
|
- /* just hang up? */
|
||||||
|
+ /* just hang up? */
|
||||||
|
|
||||||
|
- if (n < 0)
|
||||||
|
- goto bail_nuke_ah;
|
||||||
|
+ if (n < 0)
|
||||||
|
+ goto bail_nuke_ah;
|
||||||
|
|
||||||
|
- /* callback returned headers already, do t_c? */
|
||||||
|
+ /* callback returned headers already, do t_c? */
|
||||||
|
|
||||||
|
- if (n > 0) {
|
||||||
|
- if (lws_http_transaction_completed(wsi))
|
||||||
|
+ if (n > 0) {
|
||||||
|
+ if (lws_http_transaction_completed(wsi))
|
||||||
|
goto bail_nuke_ah;
|
||||||
|
|
||||||
|
- /* continue on */
|
||||||
|
+ /* continue on */
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- /* callback said 0, it was allowed */
|
||||||
|
+ /* callback said 0, it was allowed */
|
||||||
|
|
||||||
|
- if (wsi->a.vhost->options &
|
||||||
|
- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
|
||||||
|
- lws_confirm_host_header(wsi))
|
||||||
|
- goto bail_nuke_ah;
|
||||||
|
+ if (wsi->a.vhost->options &
|
||||||
|
+ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
|
||||||
|
+ lws_confirm_host_header(wsi))
|
||||||
|
+ goto bail_nuke_ah;
|
||||||
|
|
||||||
|
- if (!strcasecmp(up, "websocket")) {
|
||||||
|
+ if (!strcasecmp(up, "websocket")) {
|
||||||
|
#if defined(LWS_ROLE_WS)
|
||||||
|
- lws_metrics_tag_wsi_add(wsi, "upg", "ws");
|
||||||
|
- lwsl_info("Upgrade to ws\n");
|
||||||
|
- goto upgrade_ws;
|
||||||
|
+ lws_metrics_tag_wsi_add(wsi, "upg", "ws");
|
||||||
|
+ lwsl_info("Upgrade to ws\n");
|
||||||
|
+ goto upgrade_ws;
|
||||||
|
#endif
|
||||||
|
- }
|
||||||
|
+ }
|
||||||
|
#if defined(LWS_WITH_HTTP2)
|
||||||
|
- if (!strcasecmp(up, "h2c")) {
|
||||||
|
- lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
|
||||||
|
- lwsl_info("Upgrade to h2c\n");
|
||||||
|
- goto upgrade_h2c;
|
||||||
|
- }
|
||||||
|
+ if (!strcasecmp(up, "h2c")) {
|
||||||
|
+ lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
|
||||||
|
+ lwsl_info("Upgrade to h2c\n");
|
||||||
|
+ goto upgrade_h2c;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* no upgrade ack... he remained as HTTP */
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
||||||
@@ -8,7 +8,9 @@ DEPENDS:append:class-native = " libcap-native"
|
|||||||
|
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
SRCREV = "4415e84c095857629863804e941b9e1c2e9347ef"
|
SRCREV = "4415e84c095857629863804e941b9e1c2e9347ef"
|
||||||
SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable"
|
SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \
|
||||||
|
file://CVE-2025-11677.patch \
|
||||||
|
"
|
||||||
|
|
||||||
UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"
|
UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"
|
||||||
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
|
UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
|
||||||
|
|||||||
Reference in New Issue
Block a user