[AutoPR- Security] Patch hvloader for CVE-2026-22795 [MEDIUM]

SPECS/frr/frr.spec

@@ -3,7 +3,7 @@
 Summary:        Routing daemon
 Name:           frr
 Version:        8.5.5
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -19,7 +19,9 @@ Patch4:         0004-remove-grpc-test.patch
 Patch5:         CVE-2024-44070.patch
 Patch6:         CVE-2024-55553.patch
 Patch7:         0001-Fix-frr-c90-complaint-error.patch
-
+# Following CVE fixes CVE-2025-61100, CVE-2025-61101, CVE-2025-61102, CVE-2025-61103,
+# CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107.
+Patch8:         CVE-2025-61099.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison
@@ -201,6 +203,10 @@ rm tests/lib/*grpc*
 %{_sysusersdir}/%{name}.conf
 
 %changelog
+* Wed Jan 21 2026 Archana Shettigar <v-shettigara@microsoft.com> - 8.5.5-5
+- Patch CVE-2025-61099, CVE-2025-61100, CVE-2025-61101, CVE-2025-61102,
+  CVE-2025-61103, CVE-2025-61104, CVE-2025-61105, CVE-2025-61106 and CVE-2025-61107
+
 * Mon Dec 29 2025 Archana Shettigar <v-shettigara@microsoft.com> - 8.5.5-4
 - Rebuilt for net-snmp version up with c90 fix
 

SPECS/hvloader/CVE-2026-22795.patch

@@ -0,0 +1,77 @@
+From f6794d3f13d146454bad354b27b00ef4e8b724f7 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch
+---
+ CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c   |  3 ++-
+ .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c        | 10 ++++++++--
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c |  2 ++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+index 00effc80..6e8cc6e9 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+@@ -2698,8 +2698,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++        if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++            ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+index 7ab98385..d90404dd 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc50..4e0eb1e8 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+
+-- 
+2.45.4
+

SPECS/hvloader/hvloader.spec

@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch18: 	CVE-2023-45236.patch
 Patch19: 	CVE-2024-38796.patch
 Patch20:  	CVE-2025-3770.patch
 Patch21:        CVE-2025-2296.patch
+Patch22:        CVE-2026-22795.patch
 
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -81,6 +82,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
+* Wed Feb 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-16
+- Patch for CVE-2026-22795
+
 * Wed Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
 - Patch for CVE-2025-2296