diff --git a/0110-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch b/0110-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch new file mode 100644 index 0000000000000000000000000000000000000000..af077468550d924bebbbc97edbbfdbf4ee231b2e --- /dev/null +++ b/0110-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch @@ -0,0 +1,31 @@ +From 115770a7ea86fe34a3823d00b854e82b95f7d06c Mon Sep 17 00:00:00 2001 +From: TL <1045523086@qq.com> +Date: Thu, 16 Oct 2025 01:21:50 +0800 +Subject: [PATCH] kek_unwrap_key(): Fix incorrect check of unwrapped key size + +Fixes CVE-2025-9230 + +The check is off by 8 bytes so it is possible to overread by +up to 8 bytes and overwrite to 4 bytes. + +Origin: https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45 +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +index d741488..9f98840 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +@@ -215,7 +215,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + /* Check byte failure */ + goto err; + } +- if (inlen < (size_t)(tmp[0] - 4)) { ++ if (inlen < 4 + (size_t)tmp[0]) { + /* Invalid length value */ + goto err; + } +-- +2.33.0 + diff --git a/edk2.spec b/edk2.spec index 7d8025499e0c73005505501956f5f94040a23fe7..2b0faa16ec6ffc106e877d05111694757bf4cd62 100644 --- a/edk2.spec +++ b/edk2.spec @@ -5,7 +5,7 @@ Name: edk2 Version: %{stable_date} -Release: 32 +Release: 33 Summary: EFI Development Kit II License: BSD-2-Clause-Patent URL: https://github.com/tianocore/edk2 @@ -142,6 +142,9 @@ Patch110: 0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch #Reference: https://salsa.debian.org/qemu-team/edk2/-/commit/18735c01be5dc3b1ffc1f604e68ae96542dcbf06 Patch111: 0001-UefiCpuPkg-PiSmmCpuDxeSmm-Safe-handling-of-IDT-regis.patch +# Fix CVE-2025-9230 +patch112: 0110-kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-.patch + BuildRequires: acpica-tools gcc gcc-c++ libuuid-devel python3 bc nasm python2 %description @@ -336,6 +339,9 @@ chmod +x %{buildroot}%{_bindir}/Rsa2048Sha256GenerateKeys %endif %changelog +* Wed Oct 15 2025 taolinghongfei - 202002-33 +- fix CVE-2025-9230 + * Tue Sep 09 2025 Zhang Yi - 202002-32 - fix CVE-2025-3770 - fix CVE-2024-38805