From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: Re: [oe] [meta-networking][scarthgap][PATCH] wolfssl: patch CVE-2025-7395
Date: Wed, 24 Dec 2025 14:01:29 +0100 [thread overview]
Message-ID: <6f0fa420-b3af-4405-87dc-059bd7af34a9@gmail.com> (raw)
In-Reply-To: <188427E30A49A476.1342979@lists.openembedded.org>
While testing this patch, I noticed that a ptest failed
(test_wolfSSL_CTX_load_verify_locations) - but it's not a regression
from this change, because upon looking a bit more, it fails without this
patch also. (I suspect this *may* be fixed by the patch from [1], but
it's long and it seems to come with some build flag changes, so... that
test fails for now)
[1]:
https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/wolfssl?id=5cf87bcb8704b7ed1fe4aa5953870a2e627dd50a
On 12/24/25 13:53, Gyorgy Sarvari via lists.openembedded.org wrote:
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395
>
> Backport the patches from the PR[1] that is referenced by the project's
> changelog[2] to fix this issue.
>
> [1]: https://github.com/wolfSSL/wolfssl/pull/8833
> [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
>
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
> .../wolfssl/files/CVE-2025-7395-1.patch | 84 +++++++++++++++++++
> .../wolfssl/files/CVE-2025-7395-2.patch | 27 ++++++
> .../wolfssl/files/CVE-2025-7395-3.patch | 25 ++++++
> .../wolfssl/wolfssl_5.7.2.bb | 10 ++-
> 4 files changed, 142 insertions(+), 4 deletions(-)
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
>
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> new file mode 100644
> index 0000000000..9c661d6b57
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> @@ -0,0 +1,84 @@
> +From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001
> +From: Ruby Martin <ruby@wolfssl.com>
> +Date: Mon, 2 Jun 2025 16:38:32 -0600
> +Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
> + domain name checking
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 25 ++++++++++++++++++++-----
> + 1 file changed, 20 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 6bbd38fa8..2b090382f 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
> + #include <Security/SecCertificate.h>
> + #include <Security/SecTrust.h>
> + #include <Security/SecPolicy.h>
> +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
> + int totalCerts);
> + #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
> +
> +@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> + if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
> +- if (DoAppleNativeCertValidation(args->certs,
> ++ if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> + WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
> + ret = 0;
> +@@ -41246,7 +41246,8 @@ cleanup:
> + * wolfSSL's built-in certificate validation mechanisms anymore. We instead
> + * must call into the Security Framework APIs to authenticate peer certificates
> + */
> +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> ++static int DoAppleNativeCertValidation(WOLFSSL* ssl,
> ++ const WOLFSSL_BUFFER_INFO* certs,
> + int totalCerts)
> + {
> + int i;
> +@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> + CFMutableArrayRef certArray = NULL;
> + SecCertificateRef secCert = NULL;
> + SecTrustRef trust = NULL;
> +- SecPolicyRef policy = NULL ;
> ++ SecPolicyRef policy = NULL;
> ++ CFStringRef hostname = NULL;
> +
> + WOLFSSL_ENTER("DoAppleNativeCertValidation");
> +
> +@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> + }
> +
> + /* Create trust object for SecCertifiate Ref */
> +- policy = SecPolicyCreateSSL(true, NULL);
> ++ if (ssl->buffers.domainName.buffer &&
> ++ ssl->buffers.domainName.length > 0) {
> ++ /* Create policy with specified value to require host name match */
> ++ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
> ++ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
> ++ }
> ++ if (hostname != NULL) {
> ++ policy = SecPolicyCreateSSL(true, hostname);
> ++ } else {
> ++ policy = SecPolicyCreateSSL(true, NULL);
> ++ }
> + status = SecTrustCreateWithCertificates(certArray, policy, &trust);
> + if (status != errSecSuccess) {
> + WOLFSSL_MSG_EX("Error creating trust object, "
> +@@ -41314,6 +41326,9 @@ cleanup:
> + if (policy) {
> + CFRelease(policy);
> + }
> ++ if (hostname) {
> ++ CFRelease(hostname);
> ++ }
> +
> + WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
> +
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> new file mode 100644
> index 0000000000..857f6bb367
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> @@ -0,0 +1,27 @@
> +From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
> +From: Brett <bigbrett@users.noreply.github.com>
> +Date: Wed, 4 Jun 2025 15:48:15 -0600
> +Subject: [PATCH] prevent apple native cert validation from overriding error
> + codes other than ASN_NO_SIGNER_E
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 2b090382f..79f584a0a 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + /* If we can't validate the peer cert chain against the CAs loaded
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> +- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
> ++ if ((ret == ASN_NO_SIGNER_E) &&
> ++ (ssl->ctx->doAppleNativeCertValidationFlag)) {
> + if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> + WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
> new file mode 100644
> index 0000000000..a7e1c336f3
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
> @@ -0,0 +1,25 @@
> +From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001
> +From: Brett <bigbrett@users.noreply.github.com>
> +Date: Wed, 4 Jun 2025 16:56:16 -0600
> +Subject: [PATCH] add missing error trace macro
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 79f584a0a..5557b5698 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + /* If we can't validate the peer cert chain against the CAs loaded
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> +- if ((ret == ASN_NO_SIGNER_E) &&
> ++ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
> + (ssl->ctx->doAppleNativeCertValidationFlag)) {
> + if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> index 8f484d6098..5e66c8b186 100644
> --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> @@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
> PROVIDES += "cyassl"
> RPROVIDES:${PN} = "cyassl"
>
> -SRC_URI = " \
> - git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
> - file://run-ptest \
> -"
> +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
> + file://run-ptest \
> + file://CVE-2025-7395-1.patch \
> + file://CVE-2025-7395-2.patch \
> + file://CVE-2025-7395-3.patch \
> + "
> SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
>
> S = "${WORKDIR}/git"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#122883): https://lists.openembedded.org/g/openembedded-devel/message/122883
> Mute This Topic: https://lists.openembedded.org/mt/116928357/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
parent reply other threads:[~2025-12-24 13:01 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <188427E30A49A476.1342979@lists.openembedded.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6f0fa420-b3af-4405-87dc-059bd7af34a9@gmail.com \
--to=skandigraun@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.