Hello, On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote: > Upstream-Status: Backport from > https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e > && > https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 > && > https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
The Upstream-Status line is only useful in patches, not in commit message body. Can you add a justification as to why this patch does fix the CVE? (This applies generally to all CVE patches). In this case, something like: Backport patch from NVD report: https://nvd.nist.gov/vuln/detail/CVE-2025-15467 > > Signed-off-by: Hitendra Prajapati <[email protected]> > --- > .../openssl/openssl/CVE-2025-15467-01.patch | 40 ++++++ > .../openssl/openssl/CVE-2025-15467-02.patch | 65 +++++++++ > .../openssl/openssl/CVE-2025-15467-03.patch | 128 ++++++++++++++++++ > .../openssl/openssl_3.2.6.bb | 3 + > 4 files changed, 236 insertions(+) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch > > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch > new file mode 100644 > index 0000000000..55809d4c03 > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch > @@ -0,0 +1,40 @@ > +From ce39170276daec87f55c39dad1f629b56344429e Mon Sep 17 00:00:00 2001 > +From: Igor Ustinov <[email protected]> > +Date: Mon, 12 Jan 2026 12:19:59 +0100 > +Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly > long > + IV > + > +Fixes CVE-2025-15467 > + > +Reviewed-by: Norbert Pocs <[email protected]> > +Reviewed-by: Eugene Syromiatnikov <[email protected]> > +Reviewed-by: Tomas Mraz <[email protected]> > +MergeDate: Mon Jan 26 19:34:29 2026 > + > +CVE: CVE-2025-15467 > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e] > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + crypto/evp/evp_lib.c | 5 ++--- > + 1 file changed, 2 insertions(+), 3 deletions(-) > + > +diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c > +index f29d592..df38677 100644 > +--- a/crypto/evp/evp_lib.c > ++++ b/crypto/evp/evp_lib.c > +@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, > ASN1_TYPE *type, > + if (type == NULL || asn1_params == NULL) > + return 0; > + > +- i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, > EVP_MAX_IV_LENGTH); > +- if (i <= 0) > ++ i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, > EVP_MAX_IV_LENGTH); > ++ if (i <= 0 || i > EVP_MAX_IV_LENGTH) > + return -1; > +- ossl_asn1_type_get_octetstring_int(type, &tl, iv, i); > + > + memcpy(asn1_params->iv, iv, i); > + asn1_params->iv_len = i; > +-- > +2.50.1 > + > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch > new file mode 100644 > index 0000000000..52557bcaab > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch > @@ -0,0 +1,65 @@ > +From cdccf8f2ef17ae020bd69360c43a39306b89c381 Mon Sep 17 00:00:00 2001 > +From: Igor Ustinov <[email protected]> > +Date: Mon, 12 Jan 2026 12:21:21 +0100 > +Subject: [PATCH] Some comments to clarify functions usage Why do you backport a patch adding comments only? > + > +Reviewed-by: Norbert Pocs <[email protected]> > +Reviewed-by: Eugene Syromiatnikov <[email protected]> > +Reviewed-by: Tomas Mraz <[email protected]> > +MergeDate: Mon Jan 26 19:34:31 2026 > + > +CVE: CVE-2025-15467 > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381] > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++ > + 1 file changed, 20 insertions(+) > + > +diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c > +index 13d8ed3..6aca011 100644 > +--- a/crypto/asn1/evp_asn1.c > ++++ b/crypto/asn1/evp_asn1.c > +@@ -60,6 +60,12 @@ static ossl_inline void > asn1_type_init_oct(ASN1_OCTET_STRING *oct, > + oct->flags = 0; > + } > + > ++/* > ++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'. > ++ * If the length of 'data' > 'max_len', copies only the first 'max_len' > ++ * bytes, but returns the full length of 'oct'; this allows distinguishing > ++ * whether all the data was copied. > ++ */ > + static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum, > + long *num, unsigned char *data, int > max_len) > + { > +@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long > num, unsigned char *data, > + return 0; > + } > + > ++/* > ++ * This function decodes an int-octet sequence and copies the integer to > 'num' > ++ * and the data of octet to 'data'. > ++ * If the length of 'data' > 'max_len', copies only the first 'max_len' > ++ * bytes, but returns the full length of 'oct'; this allows distinguishing > ++ * whether all the data was copied. > ++ */ > + int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, > + unsigned char *data, int max_len) > + { > +@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, > long num, > + return 0; > + } > + > ++/* > ++ * This function decodes an octet-int sequence and copies the data of octet > ++ * to 'data' and the integer to 'num'. > ++ * If the length of 'data' > 'max_len', copies only the first 'max_len' > ++ * bytes, but returns the full length of 'oct'; this allows distinguishing > ++ * whether all the data was copied. > ++ */ > + int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num, > + unsigned char *data, int max_len) > + { > +-- > +2.50.1 > + > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch > new file mode 100644 > index 0000000000..8a2923d8fd > --- /dev/null > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch > @@ -0,0 +1,128 @@ > +From 31bf9ffbba8dce368cd2e47fbc77bdeee92a0699 Mon Sep 17 00:00:00 2001 > +From: Hitendra Prajapati <[email protected]> > +Date: Fri, 30 Jan 2026 10:32:18 +0530 > +Subject: [PATCH 3/3] > + > +CVE: CVE-2025-15467 > +Upstream-Status: Backport > [https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f] > +Signed-off-by: Hitendra Prajapati <[email protected]> > +--- > + test/cmsapitest.c | 39 ++++++++++++++++++- > + test/recipes/80-test_cmsapi.t | 3 +- > + .../encDataWithTooLongIV.pem | 11 ++++++ > + 3 files changed, 50 insertions(+), 3 deletions(-) > + create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem > + > +diff --git a/test/cmsapitest.c b/test/cmsapitest.c > +index 5839eb7..ab412d3 100644 > +--- a/test/cmsapitest.c > ++++ b/test/cmsapitest.c > +@@ -9,10 +9,10 @@ > + > + #include <string.h> > + > ++#include <openssl/pem.h> > + #include <openssl/cms.h> > + #include <openssl/bio.h> > + #include <openssl/x509.h> > +-#include <openssl/pem.h> > + #include "../crypto/cms/cms_local.h" /* for d.signedData and > d.envelopedData */ > + > + #include "testutil.h" > +@@ -20,6 +20,7 @@ > + static X509 *cert = NULL; > + static EVP_PKEY *privkey = NULL; > + static char *derin = NULL; > ++static char *too_long_iv_cms_in = NULL; > + > + static int test_encrypt_decrypt(const EVP_CIPHER *cipher) > + { > +@@ -382,6 +383,38 @@ end: > + return ret; > + } > + > ++static int test_cms_aesgcm_iv_too_long(void) > ++{ > ++ int ret = 0; > ++ BIO *cmsbio = NULL, *out = NULL; > ++ CMS_ContentInfo *cms = NULL; > ++ unsigned long err = 0; > ++ > ++ if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r"))) > ++ goto end; > ++ > ++ if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL))) > ++ goto end; > ++ > ++ /* Must fail cleanly (no crash) */ > ++ if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0))) > ++ goto end; > ++ err = ERR_peek_last_error(); > ++ if (!TEST_ulong_ne(err, 0)) > ++ goto end; > ++ if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS)) > ++ goto end; > ++ if (!TEST_int_eq(ERR_GET_REASON(err), > CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR)) > ++ goto end; > ++ > ++ ret = 1; > ++end: > ++ CMS_ContentInfo_free(cms); > ++ BIO_free(cmsbio); > ++ BIO_free(out); > ++ return ret; > ++} > ++ > + OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n") > + > + int setup_tests(void) > +@@ -396,7 +429,8 @@ int setup_tests(void) > + > + if (!TEST_ptr(certin = test_get_argument(0)) > + || !TEST_ptr(privkeyin = test_get_argument(1)) > +- || !TEST_ptr(derin = test_get_argument(2))) > ++ || !TEST_ptr(derin = test_get_argument(2)) > ++ || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3))) > + return 0; > + > + certbio = BIO_new_file(certin, "r"); > +@@ -429,6 +463,7 @@ int setup_tests(void) > + ADD_TEST(test_CMS_add1_cert); > + ADD_TEST(test_d2i_CMS_bio_NULL); > + ADD_ALL_TESTS(test_d2i_CMS_decode, 2); > ++ ADD_TEST(test_cms_aesgcm_iv_too_long); > + return 1; > + } > + > +diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t > +index af00355..182629e 100644 > +--- a/test/recipes/80-test_cmsapi.t > ++++ b/test/recipes/80-test_cmsapi.t > +@@ -18,5 +18,6 @@ plan tests => 1; > + > + ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"), > + srctop_file("test", "certs", "serverkey.pem"), > +- srctop_file("test", "recipes", "80-test_cmsapi_data", > "encryptedData.der")])), > ++ srctop_file("test", "recipes", "80-test_cmsapi_data", > "encryptedData.der"), > ++ srctop_file("test", "recipes", "80-test_cmsapi_data", > "encDataWithTooLongIV.pem")])), > + "running cmsapitest"); > +diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem > b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem > +new file mode 100644 > +index 0000000..4323cd2 > +--- /dev/null > ++++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem > +@@ -0,0 +1,11 @@ > ++-----BEGIN CMS----- > ++MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G > ++A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V > ++b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV > ++NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd > ++sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2 > ++CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu > ++GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P > ++AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl > ++paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO > ++-----END CMS----- > +-- > +2.50.1 > + > diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb > b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb > index 4756f5aaa6..fac62245d7 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb > @@ -13,6 +13,9 @@ SRC_URI = > "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > > file://0001-Added-handshake-history-reporting-when-test-fails.patch \ > file://CVE-2024-41996.patch \ > + file://CVE-2025-15467-01.patch \ > + file://CVE-2025-15467-02.patch \ > + file://CVE-2025-15467-03.patch \ > " > > SRC_URI:append:class-nativesdk = " \ Can you send a v2 with the above comments fixed? Thanks! -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231419): https://lists.openembedded.org/g/openembedded-core/message/231419 Mute This Topic: https://lists.openembedded.org/mt/117540534/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
