While testing this patch, I noticed that a ptest failed (test_wolfSSL_CTX_load_verify_locations) - but it's not a regression from this change, because upon looking a bit more, it fails without this patch also. (I suspect this *may* be fixed by the patch from [1], but it's long and it seems to come with some build flag changes, so... that test fails for now)
[1]: https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/wolfssl?id=5cf87bcb8704b7ed1fe4aa5953870a2e627dd50a On 12/24/25 13:53, Gyorgy Sarvari via lists.openembedded.org wrote: > Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 > > Backport the patches from the PR[1] that is referenced by the project's > changelog[2] to fix this issue. > > [1]: https://github.com/wolfSSL/wolfssl/pull/8833 > [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md > > Signed-off-by: Gyorgy Sarvari <[email protected]> > --- > .../wolfssl/files/CVE-2025-7395-1.patch | 84 +++++++++++++++++++ > .../wolfssl/files/CVE-2025-7395-2.patch | 27 ++++++ > .../wolfssl/files/CVE-2025-7395-3.patch | 25 ++++++ > .../wolfssl/wolfssl_5.7.2.bb | 10 ++- > 4 files changed, 142 insertions(+), 4 deletions(-) > create mode 100644 > meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch > create mode 100644 > meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch > create mode 100644 > meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch > > diff --git > a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch > b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch > new file mode 100644 > index 0000000000..9c661d6b57 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch > @@ -0,0 +1,84 @@ > +From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001 > +From: Ruby Martin <[email protected]> > +Date: Mon, 2 Jun 2025 16:38:32 -0600 > +Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION, > + domain name checking > + > +CVE: CVE-2025-7395 > +Upstream-Status: Backport > [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f] > +Signed-off-by: Gyorgy Sarvari <[email protected]> > +--- > + src/internal.c | 25 ++++++++++++++++++++----- > + 1 file changed, 20 insertions(+), 5 deletions(-) > + > +diff --git a/src/internal.c b/src/internal.c > +index 6bbd38fa8..2b090382f 100644 > +--- a/src/internal.c > ++++ b/src/internal.c > +@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add > LARGE_STATIC_BUFFERS > + #include <Security/SecCertificate.h> > + #include <Security/SecTrust.h> > + #include <Security/SecPolicy.h> > +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, > ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const > WOLFSSL_BUFFER_INFO* certs, > + int totalCerts); > + #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ > + > +@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, > word32* inOutIdx, > + * into wolfSSL, try to validate against the system certificates > + * using Apple's native trust APIs */ > + if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { > +- if (DoAppleNativeCertValidation(args->certs, > ++ if (DoAppleNativeCertValidation(ssl, args->certs, > + args->totalCerts)) { > + WOLFSSL_MSG("Apple native cert chain validation > SUCCESS"); > + ret = 0; > +@@ -41246,7 +41246,8 @@ cleanup: > + * wolfSSL's built-in certificate validation mechanisms anymore. We instead > + * must call into the Security Framework APIs to authenticate peer > certificates > + */ > +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, > ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, > ++ const WOLFSSL_BUFFER_INFO* > certs, > + int totalCerts) > + { > + int i; > +@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const > WOLFSSL_BUFFER_INFO* certs, > + CFMutableArrayRef certArray = NULL; > + SecCertificateRef secCert = NULL; > + SecTrustRef trust = NULL; > +- SecPolicyRef policy = NULL ; > ++ SecPolicyRef policy = NULL; > ++ CFStringRef hostname = NULL; > + > + WOLFSSL_ENTER("DoAppleNativeCertValidation"); > + > +@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const > WOLFSSL_BUFFER_INFO* certs, > + } > + > + /* Create trust object for SecCertifiate Ref */ > +- policy = SecPolicyCreateSSL(true, NULL); > ++ if (ssl->buffers.domainName.buffer && > ++ ssl->buffers.domainName.length > 0) { > ++ /* Create policy with specified value to require host name match */ > ++ hostname = CFStringCreateWithCString(kCFAllocatorDefault, > ++ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8); > ++ } > ++ if (hostname != NULL) { > ++ policy = SecPolicyCreateSSL(true, hostname); > ++ } else { > ++ policy = SecPolicyCreateSSL(true, NULL); > ++ } > + status = SecTrustCreateWithCertificates(certArray, policy, &trust); > + if (status != errSecSuccess) { > + WOLFSSL_MSG_EX("Error creating trust object, " > +@@ -41314,6 +41326,9 @@ cleanup: > + if (policy) { > + CFRelease(policy); > + } > ++ if (hostname) { > ++ CFRelease(hostname); > ++ } > + > + WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret); > + > diff --git > a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch > b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch > new file mode 100644 > index 0000000000..857f6bb367 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch > @@ -0,0 +1,27 @@ > +From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001 > +From: Brett <[email protected]> > +Date: Wed, 4 Jun 2025 15:48:15 -0600 > +Subject: [PATCH] prevent apple native cert validation from overriding error > + codes other than ASN_NO_SIGNER_E > + > +CVE: CVE-2025-7395 > +Upstream-Status: Backport > [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050] > +Signed-off-by: Gyorgy Sarvari <[email protected]> > +--- > + src/internal.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/src/internal.c b/src/internal.c > +index 2b090382f..79f584a0a 100644 > +--- a/src/internal.c > ++++ b/src/internal.c > +@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, > word32* inOutIdx, > + /* If we can't validate the peer cert chain against the CAs > loaded > + * into wolfSSL, try to validate against the system certificates > + * using Apple's native trust APIs */ > +- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { > ++ if ((ret == ASN_NO_SIGNER_E) && > ++ (ssl->ctx->doAppleNativeCertValidationFlag)) { > + if (DoAppleNativeCertValidation(ssl, args->certs, > + args->totalCerts)) { > + WOLFSSL_MSG("Apple native cert chain validation > SUCCESS"); > diff --git > a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch > b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch > new file mode 100644 > index 0000000000..a7e1c336f3 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch > @@ -0,0 +1,25 @@ > +From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001 > +From: Brett <[email protected]> > +Date: Wed, 4 Jun 2025 16:56:16 -0600 > +Subject: [PATCH] add missing error trace macro > + > +CVE: CVE-2025-7395 > +Upstream-Status: Backport > [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b] > +Signed-off-by: Gyorgy Sarvari <[email protected]> > +--- > + src/internal.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/src/internal.c b/src/internal.c > +index 79f584a0a..5557b5698 100644 > +--- a/src/internal.c > ++++ b/src/internal.c > +@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, > word32* inOutIdx, > + /* If we can't validate the peer cert chain against the CAs > loaded > + * into wolfSSL, try to validate against the system certificates > + * using Apple's native trust APIs */ > +- if ((ret == ASN_NO_SIGNER_E) && > ++ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) && > + (ssl->ctx->doAppleNativeCertValidationFlag)) { > + if (DoAppleNativeCertValidation(ssl, args->certs, > + args->totalCerts)) { > diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb > b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb > index 8f484d6098..5e66c8b186 100644 > --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb > +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb > @@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = > "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" > PROVIDES += "cyassl" > RPROVIDES:${PN} = "cyassl" > > -SRC_URI = " \ > - git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ > - file://run-ptest \ > -" > +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master > \ > + file://run-ptest \ > + file://CVE-2025-7395-1.patch \ > + file://CVE-2025-7395-2.patch \ > + file://CVE-2025-7395-3.patch \ > + " > SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" > > S = "${WORKDIR}/git" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122884): https://lists.openembedded.org/g/openembedded-devel/message/122884 Mute This Topic: https://lists.openembedded.org/mt/116928357/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
