mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
b7180060eb
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport the patches from the PR[1] that is referenced by the project's changelog[2] to fix this issue. [1]: https://github.com/wolfSSL/wolfssl/pull/8833 [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
28 lines
1.3 KiB
Diff
28 lines
1.3 KiB
Diff
From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
|
|
From: Brett <bigbrett@users.noreply.github.com>
|
|
Date: Wed, 4 Jun 2025 15:48:15 -0600
|
|
Subject: [PATCH] prevent apple native cert validation from overriding error
|
|
codes other than ASN_NO_SIGNER_E
|
|
|
|
CVE: CVE-2025-7395
|
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
|
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
|
---
|
|
src/internal.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/internal.c b/src/internal.c
|
|
index 2b090382f..79f584a0a 100644
|
|
--- a/src/internal.c
|
|
+++ b/src/internal.c
|
|
@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|
/* If we can't validate the peer cert chain against the CAs loaded
|
|
* into wolfSSL, try to validate against the system certificates
|
|
* using Apple's native trust APIs */
|
|
- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
|
|
+ if ((ret == ASN_NO_SIGNER_E) &&
|
|
+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
|
|
if (DoAppleNativeCertValidation(ssl, args->certs,
|
|
args->totalCerts)) {
|
|
WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
|