diff mbox series

[meta-oe,kirkstone,1/1] mbedtls: fix CVE-2024-28755 and CVE-2024-28836

Message ID 20250205052423.2690996-1-yogita.urade@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/1] mbedtls: fix CVE-2024-28755 and CVE-2024-28836 | expand

Commit Message

yurade Feb. 5, 2025, 5:24 a.m. UTC 
From: Yogita Urade <yogita.urade@windriver.com>

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When
an SSL context was reset with the mbedtls_ssl_session_reset()
API, the maximum TLS version to be negotiated was not restored
to the configured one. An attacker was able to prevent an Mbed
TLS server from establishing any TLS 1.3 connection, potentially
resulting in a Denial of Service or forced version downgrade from
TLS 1.3 to TLS 1.2.

fix indent issue in mbedtls_3.5.2.bb file.

Reference:
https://security-tracker.debian.org/tracker/CVE-2024-28755
https://security-tracker.debian.org/tracker/CVE-2024-28836

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../CVE-2024-28755-and-CVE-2024-28836.patch   | 67 +++++++++++++++++++
 .../mbedtls/mbedtls_3.5.2.bb                  |  6 +-
 2 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
new file mode 100644
index 0000000000..8a2d38c23f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/CVE-2024-28755-and-CVE-2024-28836.patch
@@ -0,0 +1,67 @@ 
+From ad736991bb59211118a29fe115367c24495300c2 Mon Sep 17 00:00:00 2001
+From: Janos Follath <janos.follath@arm.com>
+Date: Fri, 9 Feb 2024 16:04:59 +0000
+Subject: [PATCH] Merge pull request #1177 from
+ ronald-cron-arm/tls-max-version-reset
+
+Reset properly the TLS maximum negotiable version
+
+CVE: CVE-2024-28755
+CVE: CVE-2024-28836
+Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/commit/ad736991bb59211118a29fe115367c24495300c2]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ library/ssl_tls.c |  1 +
+ tests/ssl-opt.sh  | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/library/ssl_tls.c b/library/ssl_tls.c
+index cfb2798182..f3c701818b 100644
+--- a/library/ssl_tls.c
++++ b/library/ssl_tls.c
+@@ -1539,6 +1539,7 @@ int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
+     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+     ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
++    ssl->tls_version = ssl->conf->max_tls_version;
+
+     mbedtls_ssl_session_reset_msg_layer(ssl, partial);
+
+diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
+index 48b3c0cb26..448bd3825f 100755
+--- a/tests/ssl-opt.sh
++++ b/tests/ssl-opt.sh
+@@ -11307,6 +11307,30 @@ run_test    "TLS 1.3: Default" \
+             -s "ECDH/FFDH group: " \
+             -s "selected signature algorithm ecdsa_secp256r1_sha256"
+
++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
++requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
++requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
++run_test    "Establish TLS 1.2 then TLS 1.3 session" \
++            "$P_SRV" \
++            "( $P_CLI force_version=tls12; \
++               $P_CLI force_version=tls13 )" \
++            0 \
++            -s "Protocol is TLSv1.2" \
++            -s "Protocol is TLSv1.3" \
++
++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
++requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
++requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
++requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
++run_test    "Establish TLS 1.3 then TLS 1.2 session" \
++            "$P_SRV" \
++            "( $P_CLI force_version=tls13; \
++               $P_CLI force_version=tls12 )" \
++            0 \
++            -s "Protocol is TLSv1.3" \
++            -s "Protocol is TLSv1.2" \
++
+ requires_openssl_tls1_3_with_compatible_ephemeral
+ requires_config_enabled MBEDTLS_DEBUG_C
+ requires_config_enabled MBEDTLS_SSL_CLI_C
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
index 2fedac48cf..829d54307a 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.5.2.bb
@@ -25,8 +25,10 @@  SECTION = "libs"
 S = "${WORKDIR}/git"
 SRCREV = "daca7a3979c22da155ec9dce49ab1abf3b65d3a9"
 SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \
-	file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
-	file://run-ptest"
+           file://0001-AES-NI-use-target-attributes-for-x86-32-bit-intrinsi.patch \
+           file://run-ptest \
+           file://CVE-2024-28755-and-CVE-2024-28836.patch \
+          "
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
 inherit cmake update-alternatives ptest