From: Deepak Rathore <[email protected]> Analysis: - The Mbed TLS advisory states the issue occurs when LLVM select-optimize is enabled. [1] - The same advisory also states that Arm/x86 builds with MBEDTLS_HAVE_ASM enabled are not affected. The default mbedtls configuration in this branch enables MBEDTLS_HAVE_ASM. - NVD also describes the issue as occurring only with LLVM's select-optimize feature. [2] - The mbedtls recipes now evaluate the effective build flags across target, native, and nativesdk variants, handle the supported -mllvm spellings, and only mark the CVE unpatched when the vulnerable LLVM option combination is explicitly enabled and the Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply. - When those conditions are not met, the current mbedtls build configuration is not affected. - Hence ignoring/deferred the CVE for now.
Reference: [1] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-compiler-induced-constant-time-violations/ [2] https://nvd.nist.gov/vuln/detail/CVE-2025-66442 Signed-off-by: Deepak Rathore <[email protected]> --- .../mbedtls/mbedtls_3.6.6.bb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb index 23d5c0878f..865c9c2b68 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.6.bb @@ -56,8 +56,25 @@ ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" BBCLASSEXTEND = "native nativesdk" +MBEDTLS_CVE_2025_66442_FLAGS = "${CFLAGS} ${CXXFLAGS} ${CPPFLAGS} ${TOOLCHAIN_OPTIONS}" +MBEDTLS_CVE_2025_66442_FLAGS:append:class-native = " ${BUILD_CFLAGS} ${BUILD_CXXFLAGS} ${BUILD_CPPFLAGS}" +MBEDTLS_CVE_2025_66442_FLAGS:append:class-nativesdk = " ${BUILDSDK_CFLAGS} ${BUILDSDK_CXXFLAGS} ${BUILDSDK_CPPFLAGS}" +MBEDTLS_CVE_2025_66442_ARCH = "${TARGET_ARCH}" +MBEDTLS_CVE_2025_66442_ARCH:class-native = "${BUILD_ARCH}" + CVE_PRODUCT = "mbed_tls" +CVE_STATUS[CVE-2025-66442] = "${@ \ + 'unpatched' if ( \ + ((('-mllvm' in d.getVar('MBEDTLS_CVE_2025_66442_FLAGS').split() and \ + ('--disable-select-optimize=false' in d.getVar('MBEDTLS_CVE_2025_66442_FLAGS').split() or \ + '-disable-select-optimize=false' in d.getVar('MBEDTLS_CVE_2025_66442_FLAGS').split())) or \ + '-mllvm=--disable-select-optimize=false' in d.getVar('MBEDTLS_CVE_2025_66442_FLAGS').split() or \ + '-mllvm=-disable-select-optimize=false' in d.getVar('MBEDTLS_CVE_2025_66442_FLAGS').split()) and \ + d.getVar('MBEDTLS_CVE_2025_66442_ARCH') not in ('aarch64', 'aarch64_be', 'arm', 'armeb', 'i586', 'i686', 'x86_64'))) \ + else 'not-applicable-config: CVE applies only when LLVM select-optimize is enabled and the Arm/x86 MBEDTLS_HAVE_ASM carve-out does not apply; current mbedtls build configuration does not meet those conditions' \ +}" + # Strip host paths from autogenerated test files do_compile:append() { sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#128057): https://lists.openembedded.org/g/openembedded-devel/message/128057 Mute This Topic: https://lists.openembedded.org/mt/120153089/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
