From: Kai Kang <[email protected]> CVE-2025-47917 is that the function mbedtls_x509_string_to_names() takes a head argument and performs a deep free() on it.
Backport patch to fix CVE-2025-47917 and drop the modification in doc file and comment in header file which lack of context. Signed-off-by: Kai Kang <[email protected]> --- .../mbedtls/mbedtls/CVE-2025-47917.patch | 52 +++++++++++++++++++ .../mbedtls/mbedtls_2.28.10.bb | 4 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch new file mode 100644 index 0000000000..75c4829191 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2025-47917.patch @@ -0,0 +1,52 @@ +From 19d2c9165a13decf754177adda2bf59fd0e32aa1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= + <[email protected]> +Date: Mon, 5 May 2025 16:41:52 +0200 +Subject: [PATCH] Fix undocumented free() in x509_string_to_names() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer +crashing with use-after-free, instead it's now failing cleanly: + + failed + ! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid + +That's better of course but still not great, will be fixed by future +commits. + +Signed-off-by: Manuel Pégourié-Gonnard <[email protected]> + +CVE: CVE-2025-47917 + +Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/43a1e73] + +Backport patch to fix CVE-2025-47917 and drop the modification in doc +file and comment in header file which lack of context. + +Signed-off-by: Kai Kang <[email protected]> +--- + library/x509_create.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + create mode 100644 ChangeLog.d/fix-string-to-names-memory-management.txt + +diff --git a/library/x509_create.c b/library/x509_create.c +index 839b5df226..420e36b81b 100644 +--- a/library/x509_create.c ++++ b/library/x509_create.c +@@ -122,8 +122,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam + char data[MBEDTLS_X509_MAX_DN_NAME_SIZE]; + char *d = data; + +- /* Clear existing chain if present */ +- mbedtls_asn1_free_named_data_list(head); ++ /* Ensure the output parameter is not already populated. ++ * (If it were, overwriting it would likely cause a memory leak.) ++ */ ++ if (*head != NULL) { ++ return MBEDTLS_ERR_X509_BAD_INPUT_DATA; ++ } + + while (c <= end) { + if (in_tag && *c == '=') { diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb index f62e93a930..a323607367 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.10.bb @@ -24,7 +24,9 @@ SECTION = "libs" S = "${WORKDIR}/git" SRCREV = "2fc8413bfcb51354c8e679141b17b3f1a5942561" -SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28" +SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=archive/mbedtls-2.28 \ + file://CVE-2025-47917.patch \ + " inherit cmake update-alternatives -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122675): https://lists.openembedded.org/g/openembedded-devel/message/122675 Mute This Topic: https://lists.openembedded.org/mt/116804519/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
