diff --git a/SPECS/edk2/CVE-2025-68160.patch b/SPECS/edk2/CVE-2025-68160.patch new file mode 100644 index 00000000000..4902ca032c5 --- /dev/null +++ b/SPECS/edk2/CVE-2025-68160.patch @@ -0,0 +1,81 @@ +From 6f819ea3c4a9e54992e5a819f82e4cd855e56c28 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Wed, 7 Jan 2026 11:52:09 -0500 +Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a FIO_f_linebuffer is part of a bio chain, and the next BIO +preforms short writes, the remainder of the unwritten buffer is copied +unconditionally to the internal buffer ctx->obuf, which may not be +sufficiently sized to handle the remaining data, resulting in a buffer +overflow. + +Fix it by only copying data when ctx->obuf has space, flushing to the +next BIO to increase available storage if needed. + +Fixes openssl/srt#48 + +Fixes CVE-2025-68160 + +Reviewed-by: Nikola Pajkovsky +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:41:40 2026 +(cherry picked from commit b21663c35a6f0ed4c8de06855bdc7a6a21f00c2f) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/475c466ef2fbd8fc1df6fae1c3eed9c813fc8ff6.patch +--- + .../OpensslLib/openssl/crypto/bio/bf_lbuf.c | 32 +++++++++++++++---- + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c +index 73f1216..a471b28 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/bio/bf_lbuf.c +@@ -189,14 +189,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl) + while (foundnl && inl > 0); + /* + * We've written as much as we can. The rest of the input buffer, if +- * any, is text that doesn't and with a NL and therefore needs to be +- * saved for the next trip. ++ * any, is text that doesn't end with a NL and therefore we need to try ++ * free up some space in our obuf so we can make forward progress. + */ +- if (inl > 0) { +- memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl); +- ctx->obuf_len += inl; +- num += inl; ++ while (inl > 0) { ++ size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len; ++ size_t to_copy; ++ ++ if (avail == 0) { ++ /* Flush buffered data to make room */ ++ i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len); ++ if (i <= 0) { ++ BIO_copy_next_retry(b); ++ return num > 0 ? num : i; ++ } ++ if (i < ctx->obuf_len) ++ memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i); ++ ctx->obuf_len -= i; ++ continue; ++ } ++ ++ to_copy = inl > (int)avail ? avail : (size_t)inl; ++ memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy); ++ ctx->obuf_len += (int)to_copy; ++ in += to_copy; ++ inl -= (int)to_copy; ++ num += (int)to_copy; + } ++ + return num; + } + +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2025-69418.patch b/SPECS/edk2/CVE-2025-69418.patch new file mode 100644 index 00000000000..77efda9fe07 --- /dev/null +++ b/SPECS/edk2/CVE-2025-69418.patch @@ -0,0 +1,78 @@ +From e8ba8f895cf739e932d810632465f8c4eb61ef2c Mon Sep 17 00:00:00 2001 +From: Norbert Pocs +Date: Thu, 8 Jan 2026 15:04:54 +0100 +Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted + trailing bytes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path +encrypts/decrypts full blocks but does not advance in/out pointers. The +tail-handling code then operates on the base pointers, effectively reprocessing +the beginning of the buffer while leaving the actual trailing bytes +unencrypted (encryption) or using the wrong plaintext (decryption). The +authentication checksum excludes the true tail. + +CVE-2025-69418 + +Fixes: https://github.com/openssl/srt/issues/58 + +Signed-off-by: Norbert Pocs + +Reviewed-by: Saša Nedvědický +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:48:35 2026 +(cherry picked from commit be9375d5d45dfaf897b56ef148a0b58402491fcb) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/52d23c86a54adab5ee9f80e48b242b52c4cc2347.patch +--- + .../Library/OpensslLib/openssl/crypto/modes/ocb128.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c +index b5202ba..95601da 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/modes/ocb128.c +@@ -342,7 +342,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, + + if (num_blocks && all_num_blocks == (size_t)all_num_blocks + && ctx->stream != NULL) { +- size_t max_idx = 0, top = (size_t)all_num_blocks; ++ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; + + /* + * See how many L_{i} entries we need to process data at hand +@@ -356,6 +356,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx, + ctx->stream(in, out, num_blocks, ctx->keyenc, + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); ++ processed_bytes = num_blocks * 16; ++ in += processed_bytes; ++ out += processed_bytes; + } else { + /* Loop through all full blocks to be encrypted */ + for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) { +@@ -434,7 +437,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, + + if (num_blocks && all_num_blocks == (size_t)all_num_blocks + && ctx->stream != NULL) { +- size_t max_idx = 0, top = (size_t)all_num_blocks; ++ size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0; + + /* + * See how many L_{i} entries we need to process data at hand +@@ -448,6 +451,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx, + ctx->stream(in, out, num_blocks, ctx->keydec, + (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c, + (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c); ++ processed_bytes = num_blocks * 16; ++ in += processed_bytes; ++ out += processed_bytes; + } else { + OCB_BLOCK tmp; + +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2025-69420.patch b/SPECS/edk2/CVE-2025-69420.patch new file mode 100644 index 00000000000..3e364f51afc --- /dev/null +++ b/SPECS/edk2/CVE-2025-69420.patch @@ -0,0 +1,51 @@ +From 731b2f46561eaa5d259c686ebd5c39bded1b4b11 Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Wed, 7 Jan 2026 11:29:48 -0700 +Subject: [PATCH] Verify ASN1 object's types before attempting to access them + as a particular type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Issue was reported in ossl_ess_get_signing_cert but is also present in +ossl_ess_get_signing_cert_v2. + +Fixes: https://github.com/openssl/srt/issues/61 +Fixes CVE-2025-69420 + +Reviewed-by: Norbert Pocs +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:53:36 2026 +(cherry picked from commit ea8fc4c345fbd749048809c9f7c881ea656b0b94) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a.patch +--- + .../Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +index 792a27c..d940c49 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +@@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); +- if (attr == NULL) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); +@@ -222,7 +222,7 @@ ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si) + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); +- if (attr == NULL) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2025-69421.patch b/SPECS/edk2/CVE-2025-69421.patch new file mode 100644 index 00000000000..e67c734dcc9 --- /dev/null +++ b/SPECS/edk2/CVE-2025-69421.patch @@ -0,0 +1,41 @@ +From e6f9f89eea35858de7d67fab977cfe8204c6ae52 Mon Sep 17 00:00:00 2001 +From: Andrew Dinh +Date: Thu, 8 Jan 2026 01:24:30 +0900 +Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes CVE-2025-69421 + +Reviewed-by: Nikola Pajkovsky +Reviewed-by: Saša Nedvědický +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:56:08 2026 +(cherry picked from commit 2c13bf15286328641a805eb3b7c97e27d42881fb) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7.patch +--- + .../Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +index a5adafa..2e14a49 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +@@ -137,6 +137,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it, + void *ret; + int outlen = 0; + ++ if (oct == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER); ++ return NULL; ++ } ++ + if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length, + &out, &outlen, 0, libctx, propq)) + return NULL; +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-22796.patch b/SPECS/edk2/CVE-2026-22796.patch new file mode 100644 index 00000000000..7bb1d32b9a4 --- /dev/null +++ b/SPECS/edk2/CVE-2026-22796.patch @@ -0,0 +1,77 @@ +From 6948569218e3a4295a7a618fb39e4a39ca622cc6 Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Wed, 7 Jan 2026 11:29:48 -0700 +Subject: [PATCH] Ensure ASN1 types are checked before use. + +Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8 +this fix includes the other fixes in that commit, as well as fixes for others found by a scan +for a similar unvalidated access paradigm in the tree. + +Reviewed-by: Kurt Roeckx +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/29582) + +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch +--- + CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c | 3 ++- + .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c | 10 ++++++++-- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 2 ++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +index a914238..a21e0a6 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +@@ -2650,8 +2650,9 @@ int s_client_main(int argc, char **argv) + goto end; + } + atyp = ASN1_generate_nconf(genstr, cnf); +- if (atyp == NULL) { ++ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) { + NCONF_free(cnf); ++ ASN1_TYPE_free(atyp); + BIO_printf(bio_err, "ASN1_generate_nconf failed\n"); + goto end; + } +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +index 229b34c..d7e5f2c 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +@@ -190,11 +190,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, + ASN1_BMPSTRING *fname = NULL; + ASN1_OCTET_STRING *lkid = NULL; + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) { ++ if (attrib->type != V_ASN1_BMPSTRING) ++ return 0; + fname = attrib->value.bmpstring; ++ } + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) { ++ if (attrib->type != V_ASN1_OCTET_STRING) ++ return 0; + lkid = attrib->value.octet_string; ++ } + + switch (PKCS12_SAFEBAG_get_nid(bag)) { + case NID_keyBag: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +index f52d64a..f05ed5e 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +@@ -1189,6 +1189,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) + ASN1_TYPE *astype; + if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) + return NULL; ++ if (astype->type != V_ASN1_OCTET_STRING) ++ return NULL; + return astype->value.octet_string; + } + +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index ad0c09a87b5..b9bb4664e7d 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -55,7 +55,7 @@ ExclusiveArch: x86_64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 12%{?dist} +Release: 13%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -142,6 +142,11 @@ Patch1005: CVE-2024-4603.patch Patch1006: CVE-2025-3770.patch Patch1007: CVE-2025-9230.patch Patch1008: CVE-2025-2295.patch +Patch1009: CVE-2025-68160.patch +Patch1010: CVE-2025-69418.patch +Patch1011: CVE-2025-69420.patch +Patch1012: CVE-2025-69421.patch +Patch1013: CVE-2026-22796.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -803,6 +808,9 @@ done /boot/efi/HvLoader.efi %changelog +* Tue Feb 03 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-13 +- Patch for CVE-2026-22796, CVE-2025-69421, CVE-2025-69420, CVE-2025-69418, CVE-2025-68160 + * Tue Jan 06 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-12 - Patch for CVE-2025-2295