Signed-off-by: Mathieu Dubois-Briand <[email protected]> --- .../mbedtls/mbedtls/CVE-2020-36477.patch | 64 +++++++++++++++++++ .../mbedtls/mbedtls/CVE-2022-35409.patch | 41 ++++++++++++ .../mbedtls/mbedtls_2.16.12.bb | 5 +- 3 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2020-36477.patch create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2022-35409.patch
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2020-36477.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2020-36477.patch new file mode 100644 index 000000000000..51523bb65901 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2020-36477.patch @@ -0,0 +1,64 @@ +From e51994dd4ecc877320546af7b1d6ac375ee6ed5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= + <[email protected]> +Date: Tue, 21 Jul 2020 13:22:41 +0200 +Subject: [PATCH 1/2] Fix comparison between different name types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Manuel Pégourié-Gonnard <[email protected]> + +Upstream-Status: Backport +CVE: CVE-2020-36477 +Reference to upstream patch: +https://github.com/Mbed-TLS/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 + +Signed-off-by: Mathieu Dubois-Briand <[email protected]> +--- + library/x509_crt.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/library/x509_crt.c b/library/x509_crt.c +index 14c53fcbfc78..d3e1c8b12c6a 100644 +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -2452,6 +2452,26 @@ static int x509_crt_check_cn( const mbedtls_x509_buf *name, + return( -1 ); + } + ++/* ++ * Check for SAN match, see RFC 5280 Section 4.2.1.6 ++ */ ++#define MBEDTLS_X509_SAN_DNS_NAME 2 ++static int x509_crt_check_san( const mbedtls_x509_buf *name, ++ const char *cn, size_t cn_len ) ++{ ++ const unsigned char san_type = (unsigned char) name->tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ ++ /* dNSName */ ++ if( san_type == MBEDTLS_X509_SAN_DNS_NAME ) ++ return( x509_crt_check_cn( name, cn, cn_len ) ); ++ ++ /* (We may handle other types here later.) */ ++ ++ /* Unrecognized type */ ++ return( -1 ); ++} ++ + /* + * Verify the requested CN - only call this if cn is not NULL! + */ +@@ -2467,7 +2487,7 @@ static void x509_crt_verify_name( const mbedtls_x509_crt *crt, + { + for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) + { +- if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) ++ if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 ) + break; + } + +-- +2.34.1 + diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2022-35409.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2022-35409.patch new file mode 100644 index 000000000000..6dbbe6c05599 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2022-35409.patch @@ -0,0 +1,41 @@ +From 6571286ef9abd2da10d180a76cea6b6ee51a09a4 Mon Sep 17 00:00:00 2001 +From: Andrzej Kurek <[email protected]> +Date: Mon, 6 Jun 2022 14:42:41 -0400 +Subject: [PATCH 2/2] Add missing sid_len in calculations of cookie sizes This + could lead to a potential buffer overread with small + MBEDTLS_SSL_IN_CONTENT_LEN. Change the bound calculations so that it is + apparent what lengths and sizes are used. + +Signed-off-by: Andrzej Kurek <[email protected]> + +Upstream-Status: Backport +CVE: CVE-2022-35409 +Reference to upstream patch: +https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 + +Signed-off-by: Mathieu Dubois-Briand <[email protected]> +--- + library/ssl_tls.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/library/ssl_tls.c b/library/ssl_tls.c +index 127276486bcb..f2f421498418 100644 +--- a/library/ssl_tls.c ++++ b/library/ssl_tls.c +@@ -4169,11 +4169,11 @@ static int ssl_check_dtls_clihlo_cookie( + } + + sid_len = in[59]; +- if( sid_len > in_len - 61 ) ++ if( 59 + 1 + sid_len + 1 > in_len ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + cookie_len = in[60 + sid_len]; +- if( cookie_len > in_len - 60 ) ++ if( 59 + 1 + sid_len + 1 + cookie_len > in_len ) + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + + if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, +-- +2.34.1 + diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb index adb8e4a2c994..264e8abc15fc 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb @@ -25,7 +25,10 @@ LIC_FILES_CHKSUM = " \ SECTION = "libs" -SRC_URI = "https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v${PV}.tar.gz"; +SRC_URI = "https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v${PV}.tar.gz \ + file://CVE-2020-36477.patch \ + file://CVE-2022-35409.patch \ + " SRC_URI[md5sum] = "f3a7b041c43b35c883632a1773bf61a6" SRC_URI[sha256sum] = "294871ab1864a65d0b74325e9219d5bcd6e91c34a3c59270c357bb9ae4d5c393" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#99052): https://lists.openembedded.org/g/openembedded-devel/message/99052 Mute This Topic: https://lists.openembedded.org/mt/94108632/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
