[Buildroot] [2025.02.x, PATCH 1/3] package/mongoose: patch CVE-2025-65502

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Bernd Kuhls <bernd@kuhls.net>,
	Giulio Benetti <giulio.benetti@benettiengineering.com>,
	Pierre-Jean Texier <texier.pj2@gmail.com>
Subject: [Buildroot] [2025.02.x, PATCH 1/3] package/mongoose: patch CVE-2025-65502
Date: Mon, 16 Mar 2026 12:37:14 +0100	[thread overview]
Message-ID: <20260316113716.208738-1-thomas.perale@mind.be> (raw)

- CVE-2025-65502:
    Null pointer dereference in add_ca_certs() in Cesanta Mongoose before
    7.2 allows remote attackers to cause a denial of service via TLS
    initialization where SSL_CTX_get_cert_store() returns NULL.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-65502
  - https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .../mongoose/0001-improve-resiliency.patch    | 37 +++++++++++++++++++
 package/mongoose/mongoose.mk                  |  3 ++
 2 files changed, 40 insertions(+)
 create mode 100644 package/mongoose/0001-improve-resiliency.patch

diff --git a/package/mongoose/0001-improve-resiliency.patch b/package/mongoose/0001-improve-resiliency.patch
new file mode 100644
index 0000000000..edeea4efba
--- /dev/null
+++ b/package/mongoose/0001-improve-resiliency.patch
@@ -0,0 +1,37 @@
+From 64abf061bf018fd78f31c200a57a3fb04f9f3ef2 Mon Sep 17 00:00:00 2001
+From: "Sergio R. Caprile" <scaprile@cesanta.com>
+Date: Mon, 13 Oct 2025 10:43:45 -0300
+Subject: [PATCH] improve resiliency
+
+CVE: CVE-2025-65502
+Upstream: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ mongoose.c        | 1 +
+ src/tls_openssl.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/mongoose.c b/mongoose.c
+index 4c72be8201..f860ab3b07 100644
+--- a/mongoose.c
++++ b/mongoose.c
+@@ -14581,6 +14581,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
+ static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
+   int i;
+   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
++  if (cert_store == NULL) return false;
+   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
+     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
+     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
+diff --git a/src/tls_openssl.c b/src/tls_openssl.c
+index 37838d95ba..f51d6dd8b7 100644
+--- a/src/tls_openssl.c
++++ b/src/tls_openssl.c
+@@ -39,6 +39,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
+ static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
+   int i;
+   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
++  if (cert_store == NULL) return false;
+   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
+     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
+     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 8316a8d59a..02c2ac5626 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -13,6 +13,9 @@ MONGOOSE_INSTALL_STAGING = YES
 # static library
 MONGOOSE_INSTALL_TARGET = NO
 
+# 0001-improve-resiliency.patch
+MONGOOSE_IGNORE_CVES += CVE-2025-65502
+
 MONGOOSE_CFLAGS = $(TARGET_CFLAGS) -std=gnu99
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
