diff --git a/SPECS/hvloader/CVE-2025-69419.patch b/SPECS/hvloader/CVE-2025-69419.patch new file mode 100644 index 00000000000..0af10ef08ab --- /dev/null +++ b/SPECS/hvloader/CVE-2025-69419.patch @@ -0,0 +1,56 @@ +From a11570e429121d79ad38a4253a2480d814e673f6 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 9 Feb 2026 11:04:29 +0000 +Subject: [PATCH] Check return code of UTF8_putc: handle failure in ASN.1 + string conversion and PKCS12 UTF-8 emission per upstream patch. Preserves + comments from patch. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 1045615 of https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296.patch +--- + .../Library/OpensslLib/openssl/crypto/asn1/a_strex.c | 6 ++++-- + .../OpensslLib/openssl/crypto/pkcs12/p12_utl.c | 11 +++++++++-- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c +index 284dde27..843b0f94 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c +@@ -203,8 +203,10 @@ static int do_buf(unsigned char *buf, int buflen, + orflags = CHARTYPE_LAST_ESC_2253; + if (type & BUF_TYPE_CONVUTF8) { + unsigned char utfbuf[6]; +- int utflen; +- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ ++ if (utflen < 0) ++ return -1; /* error happened with UTF8 */ + for (i = 0; i < utflen; i++) { + /* + * We don't need to worry about setting orflags correctly +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c +index 43b9e3a5..1c6b59d5 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c +@@ -207,8 +207,15 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen) + /* re-run the loop emitting UTF-8 string */ + for (asclen = 0, i = 0; i < unilen; ) { + j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i); +- if (j == 4) i += 4; +- else i += 2; ++ /* when UTF8_putc fails */ ++ if (j < 0) { ++ OPENSSL_free(asctmp); ++ return NULL; ++ } ++ if (j == 4) ++ i += 4; ++ else ++ i += 2; + asclen += j; + } + +-- +2.45.4 + diff --git a/SPECS/hvloader/CVE-2025-69420.patch b/SPECS/hvloader/CVE-2025-69420.patch new file mode 100644 index 00000000000..6b9737e6970 --- /dev/null +++ b/SPECS/hvloader/CVE-2025-69420.patch @@ -0,0 +1,50 @@ +From c1e8e3c41d4494d50837f40d63a90aba83083174 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 9 Feb 2026 11:04:59 +0000 +Subject: [PATCH] Verify ASN1 object's types before attempting to access them + as a particular type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Issue was reported in ossl_ess_get_signing_cert but is also present in ossl_ess_get_signing_cert_v2. + +Fixes: https://github.com/openssl/srt/issues/61 +Fixes CVE-2025-69420 + +Reviewed-by: Norbert Pocs +Reviewed-by: Saša Nedvědický +Reviewed-by: Tomas Mraz +MergeDate: Mon Jan 26 19:53:36 2026 +(cherry picked from commit ea8fc4c345fbd749048809c9f7c881ea656b0b94) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 1045617 of https://github.com/openssl/openssl/commit/4e254b48ad93cc092be3dd62d97015f33f73133a.patch +--- + .../Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +index 7fe3d27e..5d452d26 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +@@ -262,7 +262,7 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) + ASN1_TYPE *attr; + const unsigned char *p; + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); +- if (!attr) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); +@@ -274,7 +274,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); +- if (attr == NULL) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +-- +2.45.4 + diff --git a/SPECS/hvloader/CVE-2025-69421.patch b/SPECS/hvloader/CVE-2025-69421.patch new file mode 100644 index 00000000000..6d2d9c956cf --- /dev/null +++ b/SPECS/hvloader/CVE-2025-69421.patch @@ -0,0 +1,40 @@ +From 3e637c5bc3c3dcc94e37ebeda3f30b88b821cba2 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Wed, 11 Feb 2026 07:04:36 +0000 +Subject: [PATCH] PKCS12_item_decrypt_d2i(): Check oct argument for NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes CVE-2025-69421 + +Reviewed-by: Nikola Pajkovsky +Reviewed-by: Saša Nedvědický +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from existing Build 1046960 of https://github.com/openssl/openssl/commit/36ecb4960872a4ce04bf6f1e1f4e78d75ec0c0c7.patch +--- + .../Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +index 3c860584..bb9491c0 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +@@ -88,6 +88,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, + void *ret; + int outlen; + ++ ++ if (oct == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, ERR_R_PASSED_NULL_PARAMETER); ++ return NULL; ++ } ++ + if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, + &out, &outlen, 0)) { + PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, +-- +2.45.4 + diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec index 7bffc311d60..a4f970367d8 100644 --- a/SPECS/hvloader/hvloader.spec +++ b/SPECS/hvloader/hvloader.spec @@ -4,7 +4,7 @@ Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. Name: hvloader Version: 1.0.1 -Release: 16%{?dist} +Release: 17%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,9 @@ Patch19: CVE-2024-38796.patch Patch20: CVE-2025-3770.patch Patch21: CVE-2025-2296.patch Patch22: CVE-2025-2295.patch +Patch23: CVE-2025-69420.patch +Patch24: CVE-2025-69419.patch +Patch25: CVE-2025-69421.patch BuildRequires: bc BuildRequires: gcc @@ -82,6 +85,9 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{ /boot/efi/HvLoader.efi %changelog +* Mon Feb 09 2026 Azure Linux Security Servicing Account - 1.0.1-17 +- Patch for CVE-2025-69420, CVE-2025-69421 +- Patch for CVE-2025-69419 * Tue Jan 06 2026 Azure Linux Security Servicing Account - 1.0.1-16 - Patch for CVE-2025-2295