diff --git a/0102-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch b/0102-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e902ab0fc5ec0c25e8c801445346377d09f7288 --- /dev/null +++ b/0102-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch @@ -0,0 +1,31 @@ +From 372e054859918a2c35f2ff00450ea2144dc1c38d Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Wed, 15 Oct 2025 21:13:01 +0800 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite to 4 bytes. + +Origin: https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +index d741488..9f98840 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.43.0 + diff --git a/edk2.spec b/edk2.spec index da434153f4fff467bd99230155f9af40cfb3a6d9..bf63476337bb250a3c2c651317eb7d8dbc2e3087 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 29 +Release: 30 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -155,6 +155,9 @@ patch99: 0099-CryptoPkg-Make-DH_check_pub_key-and.patch patch100: 0100-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch patch101: 0101-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch +# Fix CVE-2025-9230 +patch102: 0102-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python3-unversioned-command %description @@ -355,6 +358,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Wed Oct 15 2025 taolinghongfei -202011-30 +- fix CVE-2025-9230 + * Mon Sep 29 2025 taolinghongfei -202011-29 - fix CVE-2024-38805, CVE-2025-3770