From patchwork Wed Nov 19 14:42:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 74967 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A5BBCF34BA for ; Wed, 19 Nov 2025 14:42:57 +0000 (UTC) Received: from DUZPR83CU001.outbound.protection.outlook.com (DUZPR83CU001.outbound.protection.outlook.com [52.101.66.100]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8548.1763563373282967578 for ; Wed, 19 Nov 2025 06:42:55 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@witekio.com header.s=selector1 header.b=oFzbDnmI; spf=pass (domain: witekio.com, ip: 52.101.66.100, mailfrom: hsimeliere@witekio.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HnohbaLPgHdFagnwnN+xqW0h/8B4JaK90puezzp6Vu9zvQ2HMWQ9JWkiF5Xdg3HPIrd7DABacNOviMPKDWZxce8CYoJbSEUCXji6Nt0I8PUJfJYM3DKpw0G5ovDU+FxRrj15y1RQz1srUXiSWISjx5QmGsI5KZzQJPx9GE3hrDs+aWzGf33ZlmzlWXoXaxMZH1UpcsOcvmeXYWYXNjZbbIgfabSAM5z4rW7DXEqXrNc4uA4ZU6XMPGZFRlat7cHB1SPu5KmPcdDQLVK5DpjJkIEwjrbwVH8XiwLYJakBjAzVFK8OTAMCZuNpYnWw1ZJxnTpreEEbexqXYIJ8YH5hrQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=01LVaLTdhq0T1K+wiT6NQkhP8OaHxhuou+F49KUKLK8=; b=fCJnc5aUxzMxhDY1s6kQLMS3gA5Fx692wwxdT4bvvRlSowQh+kbIXYgnfQgSL4DLMwbV9IoznUukw4VNvSDnNOUWlCZk2yY9noXW7CJSRfUwEz8sGBaQfJkc10rkyk8gQaO+nbhT/M/1fqHZaOKdYziQWsLVuePfLU3vmVIQHNu1Bg7+6Q74xiXNLH/Ts4GqGH/2OXa+Gg7WF5N5QsbaxrCZ38SN9DDzITp4NzvvPqaUJdAWS49YAFHxeDbw0bRzYKh5kePwMyZVcdyxvjgrGj65W+nAfUemZ8AcMPYwcPuX8wE8z1wd7Vub+nIfJ8NLjUMwhauzwUWc3mOu0+JNbA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=01LVaLTdhq0T1K+wiT6NQkhP8OaHxhuou+F49KUKLK8=; b=oFzbDnmIRh9m51xi56fmTSaAR/0t/QBP6PRqqCvs1eLWfwBznULGagWmHi6sgKx5P/hOgwneoFfPwOoXhhL0JdDrMCAWA5jRHpSJmbgvtnnjDh52+WEtOMdh8v+b/iRp0wpOCULSufpWHRW8uRK60i9heaop1bauRIGfFf7ZGjt1t1JV9WaLEj2Fx4/b4yuLf6nUS4Xach/MKceUW+4G48TyHPWlyWb82lmXgYPUjvXGWp+z1RVnFZTElJdQRN1o0B/FXK2e738y1F84VJDJFkHkxBdcEKBvYf82Q3BHm6HuTmyfLppnz8yORaRGOz0E3mNC7aYeRArkrZriMw5ydg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from DB7P192MB0330.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:b::27) by AS2P192MB2245.EURP192.PROD.OUTLOOK.COM (2603:10a6:20b:644::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.10; Wed, 19 Nov 2025 14:42:49 +0000 Received: from DB7P192MB0330.EURP192.PROD.OUTLOOK.COM ([fe80::3489:ba4d:8522:3e40]) by DB7P192MB0330.EURP192.PROD.OUTLOOK.COM ([fe80::3489:ba4d:8522:3e40%7]) with mapi id 15.20.9320.021; Wed, 19 Nov 2025 14:42:49 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-devel@lists.openembedded.org CC: Hugo SIMELIERE , Bruno VERNAY Subject: [oe][meta-oe][scarthgap][PATCH 1/2] libwebsockets: fix CVE-2025-11677 Date: Wed, 19 Nov 2025 15:42:25 +0100 Message-ID: <20251119144226.2084112-1-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO4P265CA0062.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2af::18) To DB7P192MB0330.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:b::27) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7P192MB0330:EE_|AS2P192MB2245:EE_ X-MS-Office365-Filtering-Correlation-Id: 3aac4ab0-8068-4192-e0cc-08de2779e942 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|10070799003|13003099007; X-Microsoft-Antispam-Message-Info: nB8BoKKdp/qRbPvP/1WRK7NMLHfcgNlNVzd335c8BpJ5O15+KyJeo2/iSSahXBdfkuGUowhLWzlgaG46GFcoWELt+aJyhF3iHCTU0KW6iJBSbkDMSgwKGXwkXkIBxg5lUOWhvNbkFhfWu7tWaq39MPOgOXuLaQaTzE/IJCPv9gxveHuASzOBkdapcWQXJXxuXR8hNX3Ef6iUTjmECqh4x4VQMdzXDXKLKv/wsf8+kg1lTDZ0Ys2CTRahJ7qVaU2fi8k6QwRngIGdEfxU0YWoJQX0YufYvJ5dqXibGSnA9MKp9byCQVscAgUy9HsS7d13CNfu0IH6e7CpTXv5Ev7gizy+FP4KoOguTCjHeFaNFom5m3H2SA0+f3drGAIy7kEnjC7Yc/SvBTdsNPVlOfPdNr1H60Fc/e+Y0TxRTu73hcmAmqi5iEc8BtR9IWt3CHs7DdWJnOjAW0MRMu3I4+gwqZjmjODblJkfqtm1/305FPnz6BSO4sV+/iGw1o82biKE8EkrKT0LHwOJG+YTW9I7gj17c5Zcu5WJdtDcmpptcVLFHX6AJuOK1HyDoEb5Ux3sNWBNgVvcs4Uy5h7CbDPztb/J4oHMBW2RqxKiRTFeapQhHXNIX3R2QEKMq5ASSLqRq0E2wOoIN8CT2u74I+mLgoiylT9uAdU6cCN3uwZ3XRT6vgcEt2L2dCFLHY/q/pA17Is2isk7DZScH5xd7NSe68eyWFTeKdiuX4wkQMQPz+elbeg8EUu/vpXknFKluO0OG+cAnXrMalcACzCkN4b9uM2dlC4zKpM+Lm0+nF/AweLJPw59GlcQVq/Ykaveb2k1VoN5VXZR5ixp0cVgnDi206hGsBeVMti5X9oE2jaYPC8w49MFo/yfG+vCfeYooyAH2ck70ChqamC5Rxj5hjrPbz5A7/bGSeS5R74HNOOxf+51+tJcHrB+bCQu+lPGfNDZPAIUWTXUauWAF2InkNyEa6gYhH7jeuk3lwC2O+RivxAWSFAvhJ4c5XmXxyPdKQKuwQuoDn8dWTqDZNNBfO/qgY81IZ8EvNRlvNzwSVZlMoqdq+0LUUhZZQGbp7+uuI59oozODd8tL9m0TsLOzwP6u5MM0xgOY8Z9x7yJfg0Lc75bsBB3PR+eoHjaVOpM8z1JyZpjX3FSAAAVbhbRbcJP2NGT0WG36aCkGGBchGYL4SOEtMx+WkfJQsgUlVMbEXms81xy4QRs+LIsppgmgUnUL3KOwRs3xJad3l9z42wnRvSdODp/GKcXjFO06myj8V1wKFXvbRccwF3tV22yO/z/NDOdno8IJGyenldmnpd96SSCkq6EbGXq8ZTavIgsCL0f1+Y2QsBx+qi13dN3LklUOtfzAH8mJ5rRZHxlIcDjBA0BjQWQBw7pvHQpSJFzI9/ncmFXO0njW5pIyc7yGO1uXA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB7P192MB0330.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(10070799003)(13003099007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: HEmpS1RphFEMBfubOwuLCcyNhpWQQQk6VVD9pepZrHElBfeRHiW/xDf138cmjG/2k1aiYQ1/NO3kiZuu8yuzgeiMroYzEQldYebcc+3U5vMISKTyOJJXGvZks48ulqImN00vS6gK+GED6FB+q689pNm9Zoj0+S10aqlf0l7kcUkY1mx5Ng8L7bFQ1x1MOqv6K/ylACRoTOQSz2iFTCnOF5q0XklKInz377srtzimwvUiHcMeuDXtZg+MRXcN1WjOBBsnhgiO+YRVH63W/pYiYD2AX5gn/AcxmVx7lLloiPLwop51qJjf6NRzp3pD6xyYmNy99J6jdDd0uAvjByxCKvLifiqZKIlvw+rynmG+pDk/Bazk2v0YL9x4t04d/PTzruAp1Tl0EPZOSy4Uka3SUf/DBRD9WQH2UVPu4GH6C0BcY6J3uN+RKR2sv3J+hCBohDBESLQrPFHN6ouyimL53R8zK92oMUceZNuUvyP4DV8SiR0tJ6TvjKjZ+rDaPrZozHcD6sfrQwgxTwlX5rlTHD14fZsR6QOrFW6+go+fZm2YYZNZNtXP9bR45IMbebxfsdtHI+VydWlPqFHj7y+aGtge2lz7L1fu7l96xzQChSVyeOk3xap4WbVbf2+mQWSoPhKnn2RjqYh72otirARkS4nev5vfE4PwuIftUXgy9cs4p8SHaXT5b2xknleQh6pwU5FKcaJAHDnOUNdF5FcYTV9cpyQFPPMiW0ayd0EiJDtqkeQ3Ep2TD+Ksw55EX7G0PVkdllphDkcENtRyBtkqrdVCzU8joer0FVfptrrJbHsijgPw9XsbKxYJdrMrSB3B5lYLx/9Tug01ogLEH6E+ROg8iGmAsRKfe6gIgAhkSWF/tSCjOnUVm+yzp5aB+2zlEkQ4HdYEPGqneykjOXXBvKsWSSbsXLLhAqZLkADEvtHwTr7GU7hUrAowuZB1ae9q3lM5sfKcw+70n+Lq4WDegN0/+ItqccXWRJ7iFJNKR9V+xIQjvO5pcEtnP1uOv3wNlrgu5L4ftL22zgClRbI+aG/A1fGV7Uf8ignWniq4wAs1uVBPyZrrAb0kSKepbEDdaUfG9RGMW3yBQfTtTmHI+sBJo+BtmSeBUkJ7N5DEsXXe6HZp0rDYsyel6Mt9LAfM/BfeU3SKfNSH3FcN+yB8KrM9XkUjaEY+EuFEAPtqECY095pxRU6+ln3/Jh407dDyy/MLuxEPyl6UN+oY4BwYNCFMSDoBSBfjTK/uWC6ID79EXXR1Mes5gvQBtw3sMrEesaB8HJ6ogMHerx4oUoDyA8/sYiXQyGdhz8qbc99v6E15EYdEwlkielYmxZHWiNjM9ZSC2X/1aT6/2lo+YqzpV4oZcYdBcizdxI0FFWchYAEycLUnwKVKg+l4c9uJNo64d4j7kVeKoE19aKwCvfC9L6jca61bf9JbC+oa95zORVIwZmZTKnxxxlvuCN3yFAgUwES/HXWkq3aoMerarWDPlNn5Nlzz9kO6+s0U/61/VAe6jmfFnhTtJ3/ZrXhgTukiooLMlzzrHUHMEjUMgcFg8RnVVXBne2mQHRvMKtfZuUkM/z8vBro9K6QP8uGT6papefQwlDBpNEp0IqDLLF61la1TJOXeLsGxVQwVUG2e9y3lfgnV3KUk8YgG6mMv81fGLqRvddRMMv60SdgOSbjKFA== X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3aac4ab0-8068-4192-e0cc-08de2779e942 X-MS-Exchange-CrossTenant-AuthSource: DB7P192MB0330.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2025 14:42:49.2805 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yuKuQnPU/LCL2HuE5fQ7oMkq+KYusKlzFuG18gdBDr3SMRQEhKFMxpGc6PIMEBpvCu/glcRK1+t2Dvjw3wiaog== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2P192MB2245 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 14:42:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121905 From: Hugo SIMELIERE Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE --- .../libwebsockets/CVE-2025-11677.patch | 161 ++++++++++++++++++ .../libwebsockets/libwebsockets_4.3.3.bb | 4 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch new file mode 100644 index 0000000000..bf11a893f8 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch @@ -0,0 +1,161 @@ +From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001 +From: Hugo SIMELIERE +Date: Tue, 18 Nov 2025 16:59:22 +0100 +Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library +maintained by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-416: Use After Free | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 6.0 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest +software version of libwebsockets, specifically in the WebSocket server +implementation. + +Depending on the use of the API, the vulnerability may allow an attacker +to read or write data, that could cause a loss of integrity or +availability. + +The issue is caused by the `lws_handshake_protocol` function, specifically +when the upgrade header is not valid, the function calls +`lws_http_transaction_completed`, which frees some of the data in the wsi +structure, then it calls `user_callback_handle_rxflow` passing the up +pointer and uses it on following strcasecmp calls. + +From our understanding, for this vulnerability to have a meaningful +impact, a user that implements the Websocket server, must provide a user +callback function which is going to handle +`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing +operations on the up pointer. + +It is possible to compile the minimal websocket server using address +sanitizer, to quickly verify the use after free. + +From our understanding of the code, if the upgrade header does not match +the intended contents, then the code after the if statement when +`lws_http_transaction_completed` is called, should not be executed, thus +simply enclosing all that code in the else branch solves the issue. + +CVE: CVE-2025-11677 +Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a] + +Signed-off-by: Hugo SIMELIERE +--- + lib/roles/http/server/server.c | 58 +++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 29 deletions(-) + +diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c +index 6b132a42..e6d714e3 100644 +--- a/lib/roles/http/server/server.c ++++ b/lib/roles/http/server/server.c +@@ -2375,49 +2375,49 @@ raw_transition: + HTTP_STATUS_FORBIDDEN, NULL) || + lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; +- } +- +- n = user_callback_handle_rxflow(wsi->a.protocol->callback, +- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, +- wsi->user_space, (char *)up, 0); ++ } else { ++ n = user_callback_handle_rxflow(wsi->a.protocol->callback, ++ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, ++ wsi->user_space, (char *)up, 0); + +- /* just hang up? */ ++ /* just hang up? */ + +- if (n < 0) +- goto bail_nuke_ah; ++ if (n < 0) ++ goto bail_nuke_ah; + +- /* callback returned headers already, do t_c? */ ++ /* callback returned headers already, do t_c? */ + +- if (n > 0) { +- if (lws_http_transaction_completed(wsi)) ++ if (n > 0) { ++ if (lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; + +- /* continue on */ ++ /* continue on */ + +- return 0; +- } ++ return 0; ++ } + +- /* callback said 0, it was allowed */ ++ /* callback said 0, it was allowed */ + +- if (wsi->a.vhost->options & +- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && +- lws_confirm_host_header(wsi)) +- goto bail_nuke_ah; ++ if (wsi->a.vhost->options & ++ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && ++ lws_confirm_host_header(wsi)) ++ goto bail_nuke_ah; + +- if (!strcasecmp(up, "websocket")) { ++ if (!strcasecmp(up, "websocket")) { + #if defined(LWS_ROLE_WS) +- lws_metrics_tag_wsi_add(wsi, "upg", "ws"); +- lwsl_info("Upgrade to ws\n"); +- goto upgrade_ws; ++ lws_metrics_tag_wsi_add(wsi, "upg", "ws"); ++ lwsl_info("Upgrade to ws\n"); ++ goto upgrade_ws; + #endif +- } ++ } + #if defined(LWS_WITH_HTTP2) +- if (!strcasecmp(up, "h2c")) { +- lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); +- lwsl_info("Upgrade to h2c\n"); +- goto upgrade_h2c; +- } ++ if (!strcasecmp(up, "h2c")) { ++ lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); ++ lwsl_info("Upgrade to h2c\n"); ++ goto upgrade_h2c; ++ } + #endif ++ } + } + + /* no upgrade ack... he remained as HTTP */ +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb index 3170d37f5b..d0a2aa0923 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb @@ -8,7 +8,9 @@ DEPENDS:append:class-native = " libcap-native" S = "${WORKDIR}/git" SRCREV = "4415e84c095857629863804e941b9e1c2e9347ef" -SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable" +SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \ + file://CVE-2025-11677.patch \ + " UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" From patchwork Wed Nov 19 14:42:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 74968 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94D02CF34B7 for ; Wed, 19 Nov 2025 14:42:57 +0000 (UTC) Received: from AM0PR83CU005.outbound.protection.outlook.com (AM0PR83CU005.outbound.protection.outlook.com [52.101.69.138]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.8549.1763563375608028969 for ; Wed, 19 Nov 2025 06:42:56 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@witekio.com header.s=selector1 header.b=FZHrJZRy; spf=pass (domain: witekio.com, ip: 52.101.69.138, mailfrom: hsimeliere@witekio.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=eRVynA2dnfOvXhfGEPpTasn1mu9Ohk5xFsLpFNdzrszORvmd5w6+A7puP0XKv9IGq9vgyu4irnWZYEMb+wUL5RQr09PscSNC0ewp1CTr99teEUO1aZfmZ9SNjbZEjbfx0AayUZNNAjH/PWv8GIIy2L8BtCmi6WhjjWlZPodxzHM10Qswwvu44dFcQi77mKKDlcXqmgRGIQsDCFImmG5pJhPCCuil8y4qkpaXB4wl/Ae+HntADqdyzi9oo8253IDTTKYSJE0ke8EGvE9cZcnW2B2e/InJ6iq8MvVM+2lO887YNLwsoPKOp/FS8N+Vgw3W+eB3qEjHifZVBoJ37gPS2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AG+VfuGwJ1FyEfKBwloyQfVu/hLln26jVfV4d9Qk8RU=; b=NGypWORe1PwalhLsb8Pm9P+5cXlgB9vhu//Sxk+RXxJZ/TjS6GY7dIKaX/XGjKr58o9uxHMj8MIddQRx/W2/gedJP+wrCxm92djoPnz+dqSAA2t9yFDEfoQUj2xz7zgw6j0eq/IlV6smnhTSMe/z8kU1pZOVad/O6o29+h7aDyNqPHCdPfJmhL2aR2YToT+UZKYyBaH/pAqAWJP8hU1d6DhXHm6pJMEWO7HLiWIeCzF1y2072uTwtqdU5Ql7Hx2k33zdVd12KnHy46Ws5iNRbhLDQ0EroPRQhuVBFussM7qVIZ0Dn+Bi28abFNSp5/zyOyRu9dkQXp6pAu81FIBlMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AG+VfuGwJ1FyEfKBwloyQfVu/hLln26jVfV4d9Qk8RU=; b=FZHrJZRyTiBcTXOiHMnzQsgYPxWrdWQod3mu3KIu5x+bKw1SiWkG889MizLYqWoUocRE01eTzXzpT5DoYnfTAT9+1DJlL/05OqKuFuVRnsT33o/V2iGq43gHmHmdUlU4ScpPgjMo0f0R8QGvnTjTJd//RvGEK4JdEHzA+7K6goHwli+eoURYgYMo3m/qhAZbuwIhViFoBOGgSwk1KS/9SGezDHh7qafTT+y8D0a5sN2ISqWSYHR3KDWPunmXKwD2rIc4xJRNB4zjdh2w3o0YTOnR9NwJvwLGE79YiixCNIuCwc8pdcUOXf33/kmVC3ow7ZS89g1jdWt1lqJ2C2vGng== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from DB7P192MB0330.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:b::27) by DU0P192MB1844.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:3b3::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.10; Wed, 19 Nov 2025 14:42:51 +0000 Received: from DB7P192MB0330.EURP192.PROD.OUTLOOK.COM ([fe80::3489:ba4d:8522:3e40]) by DB7P192MB0330.EURP192.PROD.OUTLOOK.COM ([fe80::3489:ba4d:8522:3e40%7]) with mapi id 15.20.9320.021; Wed, 19 Nov 2025 14:42:51 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-devel@lists.openembedded.org CC: Hugo SIMELIERE , Bruno VERNAY Subject: [oe][meta-oe][scarthgap][PATCH 2/2] libwebsockets: fix CVE-2025-11678 Date: Wed, 19 Nov 2025 15:42:26 +0100 Message-ID: <20251119144226.2084112-2-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251119144226.2084112-1-hsimeliere.opensource@witekio.com> References: <20251119144226.2084112-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: LO4P265CA0062.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2af::18) To DB7P192MB0330.EURP192.PROD.OUTLOOK.COM (2603:10a6:5:b::27) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB7P192MB0330:EE_|DU0P192MB1844:EE_ X-MS-Office365-Filtering-Correlation-Id: d1ad31c9-193c-4575-f8a8-08de2779eac5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|52116014|376014|366016|1800799024|10070799003|13003099007; X-Microsoft-Antispam-Message-Info: iSwb3BlUmb1/YzQhFB5BVq3gkzEPPBKf0zY7PpSJUaw9zkeKk/ozVSKj8M/nMfhG/+LkxE1XXD53LHXlooOdodmLnDx0kkG0hZq+EG0aY22Aq8zjMwTsP9TUcxBN80yFA7N8VL9H8UaRW3IVzSUFi4RKLZhRRutGeySftZyoq1MpEC07zLf9lcTZTgq5q/PN2t3T8eMBCjmY51elw/pSA1uVK8xK5Gi4mmokk3jB6XC806VnQvGCB/Nwv4nVsvG0vIqNRYff2vvpav3FukJHS/S+2GRQ2PzEWA3YgH6QiHH71SOt3ZJXSOBvHoBBPryRCxuEZTLS4bK1d5JiRbM3SDPGkSub6ufMutkFZSm4UZHgZO2ZHHiVA98XdoccAOwzXebw9VlBIEg/1TAVOmm05nm/HELR3iXui8bsHZMHfB8s6HcqLZEgCmu7KalZtdrQC/Xp81k6KuznLUgTPF816rviwSIZLKK2IrCSkytO4GyWWk+5maZfKeRKF8nTBZ1+ILQ8g9sLCu8PmkzteXh1PoOXOpHuwBWks7zW09fDVHG77YD9OM3P1nFDeLCV3bVQjdllFPzqDkwAsdmfmLTPYm4MBpyXO3RXFMDeJb5oSWuRod/LkH2nlLowW9n3TSxUPsCggd3/PMnJqVlxdNAYdjcDFwBdP/HyAG38Tln/4uPYL8dWZfoO14TR1go3uMObYWiWhJjVtvyWC16v2UecJSpr0cM0nJCIc3ekj1zUZu0YuzYHYj28xsHZ/FBvU6cKVVTkM0lnyLCxq/7XKRorwHxGHv75k/7EALbSR2Sn4o0MiWS9H1aTtFBNX2EshRHTgl4uHBH14L2hxR1s+9Nmrfg2x0Xny1VaYsa9rGjCZCY+r36Qd9bjk8FXDaDH8/n4LOOcuGm3eBMURzFnYcCyRaD7YMgzUg5P78Qbd1YOD+/0qOhoqJix2wgzG//dS0apMD6Ezjhei8CteZYLIG0Vaum/VtxchEQKaGnGFjD7OSz99IgCQNxBg+v2SZSrOxzxm/uU6KP4THxM5j+jkN66PAkTkd1QF7JuyIYWAQDiZGTqrMQv6I8LmPDb+i9qPB8w/aP05kUj2FYKEOOFwrEND41tV4LIMfWxoP0mODPh7AqRrtH1PK2ilPVkQhhX+XaewZ6MTvKIMESGuUg17EOpVEaH+Rb87hzVkg9okDsnTvR+iT5eqDaheHsyu9i9xcNXpomzOjJR2PCsA/nCwQA3DvKwFLlDJh5vLgoV6eZeEe4oicbBb8zV0rfPkT19ZIfFzIfwaRTiuoTseVnoUkhkOiKZpC+DohgFwraL8D1GrYZ4gnQMqcvC42PIw4EMf2H7AKAn1PmspQItZ7GXLwrPF9DnUlTn9UqQWkbkoigjNhwRpc7kcX/cqgb0oXnFMIM2q66DY7I4Mkog3t1+mR8HmA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB7P192MB0330.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(52116014)(376014)(366016)(1800799024)(10070799003)(13003099007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: sQOWKfSCrGC73YybuBpvQ12Pc64dmK05amKR9WrWFzbEloiG+BIA1dYUg82+O3XvKxy9fs1XrB+bo/Pa7LcFnWXPn31MgTXKOWt1NQnYdZZLMm0hMmMZVX1nLCnFeH1texrVqs1OQvarDvmZtBGs3X5sHoukoBm9/NkX3rCDEZjbnuZDozAPLZXrhQsqWNlJ9eY4nlESv+onsXNRgjJ1rzxw44Fle1XdP1o6R9vQa2En96PiunTkn3Kq29hzUbnFD1UeuoG5VEhfQOO1HfemTegot0vjWImroJsTO8UjGRHcU3Vbj6ouZGrc/86pvDc1AA/pkxi4YhwVcqyWihvyPtkJPPn2cE0zKecxOaAf5rIuwGm6Y14La/WQUEqzhXLhX887A7QRJyLit9nNpvdBE52VsmYAGdSDjbf3SpDV+s4ihkAId9JleVYC1xHYrrpVK1+LuE6o3unutiJ1TCKGeCTOrTh2OUaEjWLWAx7vyCK4359yRC0Ubs7BmOzpUBOYJaEFr424fiOgziv/vOrpTyRcv7hvzcRJzqJ3hWEynelL3db8ZNNXuFBtUQdxqpoVg9lXqXSD2nWKfxMN+87kzeFlIXzd/z322UvZ0HLxTAcTIZotRwXMjJN9oo8srCBPqKDrL5u7JBXqOmlJRcaYO3WV8oT2AHNRI7bHqSzZ71aEyN8IwhXnF9Q/iNXFENR00bfj1nDPqfU++qEORfuifdKI32+DveGvi5X6Mb4Vvig3fhvsFxuAtYuQVCmXDKA+KxexYT9rSxfZaDD5N4Y+PPWngVAJ3JoVguzf07+ykDPXYxam5sEK9yN986SIDu8DDkEvNDy3gNopbCpwwhFBXGLplHfQ+JG4Ekl/1K5Na6Q58AvlWd/PkGxR2eKP/0t+nKb3znq0lhQt9pk571OLqDWhA1OLZ5htQN2MWtHYKf9zTE3cFS5Pcid7r4d+fxDQSbZZ8URnXAHaKnZlYQ/SagD1gKw91BJZdI/nQgOFlHJFE3ZirbzfZrc7W42cC+cIQY2R/1q2AXBghRC8QeNn5+LDAjlCzt1aoBastloKGXZ+dRSkU7lDRqYJrihJKhItaqR+EoL5C1XgZ/IMxViMPRSlyXPLk4bZymPMgwNZ6Eq/EXBlMxaRti/9aYjsQk1qqQ/v4uaVKR3xUdvq+jqFtbSXz7gEhk/O09sVf4xQw26FX031m+tSmUxeiKxp1E3K8vJux3ZI4YG4sSP85O/A3JA8YIhosAnGD/tv5KfeF9N/kEw2ceoWf0ElGt0VHRIXvzFEhZ5R2/cHzPb6zuauZq5Pgl6U14Bse+BofNP7aYsLXe7Ixdt/4Na2+4PwjehN+Z7aEDRBVFar9MJJcIMk8/Bxuv+39bs0wCcBd0yhSh0hu9RwgUqw8DMyZwRFqrSv/1QMyqDTrp8cb8f9z/3dzcZAtJjNdQONkdFSAo92Jwk1RUr4oCSMmHS5LqDD54MTKOIZh4DqRxMsrtcaWnbt4QjCWyqpWejOT+cBOUp375XRK8oNPUpmJgXvoKIL6YJOM1TP4383PQDq2MRDB+uDpupDvpybKFI3r4c+YZwsLiLhGoDTkXich1ufjR3ZybI0R/+ieUAD5rwSQK3IFD0ArPG7fp+BHIFbq0BPGE6mvSFWGmarUtJOQl66oAEVRIy3JNufw80M6i4xInYrDv0iKQ== X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: d1ad31c9-193c-4575-f8a8-08de2779eac5 X-MS-Exchange-CrossTenant-AuthSource: DB7P192MB0330.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2025 14:42:51.7870 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yarRSnER2H/4/tGG3WnUFr3wB8+Zo59xl2FUUxq6v5+Ws1plciSI99+cTd+ebMEFOvbyO7dRAbcLJBYljPDnAg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P192MB1844 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 19 Nov 2025 14:42:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121906 From: Hugo SIMELIERE Backport a fix from Debian: https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11678.patch Upstream commit: https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Signed-off-by: Bruno VERNAY Signed-off-by: Hugo SIMELIERE --- .../libwebsockets/CVE-2025-11678.patch | 128 ++++++++++++++++++ .../libwebsockets/libwebsockets_4.3.3.bb | 1 + 2 files changed, 129 insertions(+) create mode 100644 meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch new file mode 100644 index 0000000000..3489a7e6a1 --- /dev/null +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11678.patch @@ -0,0 +1,128 @@ +From e1d4c32bf773b8cf01eb5e368a4a21679e0b670a Mon Sep 17 00:00:00 2001 +From: Hugo SIMELIERE +Date: Tue, 18 Nov 2025 17:03:33 +0100 +Subject: [PATCH] NN-2025-0103: ADNS crafted response overflow + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library made +by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | Ecostruxure Automation Expert | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-121: Stack-based Buffer Overflow | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 7.5 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +**\** + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" +in the latest software version of libwebsockets, specifically in the +async-dns component. + +The vulnerability allows an attacker that can inspect DNS requests made +by the victim (e.g. being in the same wireless network) to forge a DNS +response packet that overflows the stack and may lead to arbitrary code +execution (depending on the platform and compiler options). + +The issue resides in `lws_adns_parse_label` function in +`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses +a label however it does not correctly check the number of bytes written +in the destination buffer. + +Specifically, the size of the dest output buffer is specified in the `dl` +argument, however during the read of each substring of the label only +the length of the current substring of the label is accounted for not +overflowing the destination buffer, but previous reads are not accounted +for. + +This means that a label of arbitrary size and content can be supplied +and is copied onto the stack, however it must be split into substrings +of size less than `dl`. + +To trigger the vulnerability an attacker must be able to sniff the DNS +request packet to send a response with a matching identifier, otherwise +the implantation correctly ignores the response. + +We have provided a harness for testing, for ease of use copy the harness +in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, +and build it + +``` +cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 +-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns +``` + +Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` + +![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png) + +We suggest keeping track of the number of bytes currently written on the +dest buffer, this could be done by saving the original dest pointer, +decrementing dl on each substring memcpy, or using an auxiliary +variable. + +CVE: CVE-2025-11678 +Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a] + +Signed-off-by: Hugo SIMELIERE +--- + lib/system/async-dns/async-dns-parse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c +index bdfe2050..81743b3f 100644 +--- a/lib/system/async-dns/async-dns-parse.c ++++ b/lib/system/async-dns/async-dns-parse.c +@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget, + const uint8_t *e = pkt + len, *ols = ls; + char pointer = 0, first = 1; + uint8_t ll; +- int n; ++ int n, readsize = 0; + + if (budget < 1) + return 0; +@@ -88,7 +88,7 @@ again1: + return -1; + } + +- if ((unsigned int)ll + 2 > dl) { ++ if ((unsigned int)(ll + 2 + readsize) > dl) { + lwsl_notice("%s: qname too large\n", __func__); + + return -1; +@@ -101,6 +101,7 @@ again1: + (*dest)[ll + 1] = '\0'; + *dest += ll + 1; + ls += ll; ++ readsize += ll + 1; + + if (pointer) { + if (*ls) +-- +2.43.0 + diff --git a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb index d0a2aa0923..90ac0c3eb3 100644 --- a/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb +++ b/meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb @@ -10,6 +10,7 @@ S = "${WORKDIR}/git" SRCREV = "4415e84c095857629863804e941b9e1c2e9347ef" SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \ file://CVE-2025-11677.patch \ + file://CVE-2025-11678.patch \ " UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"