new file mode 100644
@@ -0,0 +1,88 @@
+From 947bead23940cacf081f93c3e29f540e3e867b7b Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Thu, 4 Sep 2025 13:26:06 +0100
+Subject: [PATCH] OSCORE: Fix OSCORE configuration file parsing issue
+
+With a large boolean parameter value, (longer than "false"), memory
+would be read past the "true" or "false" string boundaries in the ".rodata"
+section when doing a memcmp(), potetially causing the application to crash
+when calling coap_new_oscore_conf() with a specially crafted configuration
+file.
+
+It also can provide a mechanism to determine the byte values following the
+"true" or "false" string boundaries which could lead to accessing sensitive
+information. The standard libcoap library does not have defined keys or
+certificates. This can only be done by a specially crafted local application.
+
+Discovered by SecMate (https://secmate.dev).
+
+Now fixed.
+
+CVE: CVE-2025-59391
+Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/da534de75edd1b3628a28908d30b0efbaa01be09]
+(cherry picked from commit da534de75edd1b3628a28908d30b0efbaa01be09)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/coap_oscore.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/coap_oscore.c b/src/coap_oscore.c
+index 2d7dd6d0..723b5ef5 100644
+--- a/src/coap_oscore.c
++++ b/src/coap_oscore.c
+@@ -1675,6 +1675,7 @@ get_split_entry(const char **start,
+ const char *kend;
+ const char *split;
+ size_t i;
++ size_t len;
+
+ retry:
+ kend = end = memchr(begin, '\n', size);
+@@ -1751,9 +1752,10 @@ retry:
+ value->u.value_str.length = end - begin;
+ break;
+ case COAP_ENC_BOOL:
+- if (memcmp("true", begin, end - begin) == 0)
++ len = (size_t)(end - begin);
++ if (len == 4 && memcmp("true", begin, len) == 0)
+ value->u.value_int = 1;
+- else if (memcmp("false", begin, end - begin) == 0)
++ else if (len == 5 && memcmp("false", begin, len) == 0)
+ value->u.value_int = 0;
+ else
+ goto bad_entry;
+@@ -1768,7 +1770,7 @@ bad_entry:
+ coap_log_warn("oscore_conf: Unrecognized configuration entry '%.*s'\n",
+ (int)(end - begin),
+ begin);
+- return 0;
++ return -1;
+ }
+
+ #undef CONFIG_ENTRY
+@@ -1840,6 +1842,7 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+ coap_str_const_t keyword;
+ oscore_value_t value;
+ coap_oscore_conf_t *oscore_conf;
++ int split_ok = -1;
+
+ oscore_conf = coap_malloc_type(COAP_STRING, sizeof(coap_oscore_conf_t));
+ if (oscore_conf == NULL)
+@@ -1858,7 +1861,7 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+ oscore_conf->break_recipient_key = 0;
+
+ while (end > start &&
+- get_split_entry(&start, end - start, &keyword, &value)) {
++ (split_ok = get_split_entry(&start, end - start, &keyword, &value)) > 0) {
+ size_t i;
+ size_t j;
+
+@@ -1944,6 +1947,8 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+ goto error;
+ }
+ }
++ if (split_ok == -1)
++ goto error;
+ if (!oscore_conf->master_secret) {
+ coap_log_warn("oscore_conf: master_secret not defined\n");
+ goto error;
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
file://run-ptest \
file://CVE-2024-0962.patch \
file://CVE-2024-31031.patch \
+ file://CVE-2025-59391.patch \
"
SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"