diff --git a/0097-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch b/0097-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e902ab0fc5ec0c25e8c801445346377d09f7288 --- /dev/null +++ b/0097-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch @@ -0,0 +1,31 @@ +From 372e054859918a2c35f2ff00450ea2144dc1c38d Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Wed, 15 Oct 2025 21:13:01 +0800 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite to 4 bytes. + +Origin: https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +index d741488..9f98840 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index ecb9e85374b80c27838cf7ea215ce478cd1ea3c7..ebabcf102b5d543637a50a7584bbadc7830f5551 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 28 +Release: 29 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -153,6 +153,9 @@ Patch97: 0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch #Reference: https://salsa.debian.org/qemu-team/edk2/-/commit/18735c01be5dc3b1ffc1f604e68ae96542dcbf06 Patch98: 0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch +# Fix CVE-2025-9230 +patch99: 0097-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command %description @@ -353,6 +356,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Wed Oct 15 2025 taolinghongfei - 202011-29 +- fix CVE-2025-9230 + * Tue Sep 09 2025 Zhang Yi - 202011-28 - fix CVE-2025-3770 - fix CVE-2024-38805