[Buildroot] [2025.02.x, PATCH 1/3] package/mongoose: patch CVE-2025-65502

[Buildroot] [2025.02.x, PATCH 1/3] package/mongoose: patch CVE-2025-65502

[Thomas Perale via buildroot]

- CVE-2025-65502:
    Null pointer dereference in add_ca_certs() in Cesanta Mongoose before
    7.2 allows remote attackers to cause a denial of service via TLS
    initialization where SSL_CTX_get_cert_store() returns NULL.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-65502
  - https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .../mongoose/0001-improve-resiliency.patch    | 37 +++++++++++++++++++
 package/mongoose/mongoose.mk                  |  3 ++
 2 files changed, 40 insertions(+)
 create mode 100644 package/mongoose/0001-improve-resiliency.patch

diff --git a/package/mongoose/0001-improve-resiliency.patch b/package/mongoose/0001-improve-resiliency.patch
new file mode 100644
index 0000000000..edeea4efba
--- /dev/null
+++ b/package/mongoose/0001-improve-resiliency.patch
@@ -0,0 +1,37 @@
+From 64abf061bf018fd78f31c200a57a3fb04f9f3ef2 Mon Sep 17 00:00:00 2001
+From: "Sergio R. Caprile" <scaprile@cesanta.com>
+Date: Mon, 13 Oct 2025 10:43:45 -0300
+Subject: [PATCH] improve resiliency
+
+CVE: CVE-2025-65502
+Upstream: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ mongoose.c        | 1 +
+ src/tls_openssl.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/mongoose.c b/mongoose.c
+index 4c72be8201..f860ab3b07 100644
+--- a/mongoose.c
++++ b/mongoose.c
+@@ -14581,6 +14581,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
+ static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
+   int i;
+   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
++  if (cert_store == NULL) return false;
+   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
+     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
+     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
+diff --git a/src/tls_openssl.c b/src/tls_openssl.c
+index 37838d95ba..f51d6dd8b7 100644
+--- a/src/tls_openssl.c
++++ b/src/tls_openssl.c
+@@ -39,6 +39,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
+ static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
+   int i;
+   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
++  if (cert_store == NULL) return false;
+   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
+     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
+     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
index 8316a8d59a..02c2ac5626 100644
--- a/package/mongoose/mongoose.mk
+++ b/package/mongoose/mongoose.mk
@@ -13,6 +13,9 @@ MONGOOSE_INSTALL_STAGING = YES
 # static library
 MONGOOSE_INSTALL_TARGET = NO
 
+# 0001-improve-resiliency.patch
+MONGOOSE_IGNORE_CVES += CVE-2025-65502
+
 MONGOOSE_CFLAGS = $(TARGET_CFLAGS) -std=gnu99
 
 ifeq ($(BR2_PACKAGE_OPENSSL),y)
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [2025.02.x, PATCH 2/3] package/libheif: patch CVE-2025-68431

[Thomas Perale via buildroot]

- CVE-2025-68431:
    libheif is an HEIF and AVIF file format decoder and encoder. Prior to
    version 1.21.0, a crafted HEIF that exercises the overlay image item
    path triggers a heap buffer over-read in `HeifPixelImage::overlay()`.
    The function computes a negative row length (likely from an unclipped
    overlay rectangle or invalid offsets), which then underflows when
    converted to `size_t` and is passed to `memcpy`, causing a very large
    read past the end of the source plane and a crash. Version 1.21.0
    contains a patch. As a workaround, avoid decoding images using `iovl`
    overlay boxes.

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-68431
  - https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...x-wrong-copy-width-in-overlay-images.patch | 26 +++++++++++++++++++
 package/libheif/libheif.mk                    |  3 +++
 2 files changed, 29 insertions(+)
 create mode 100644 package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch

diff --git a/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
new file mode 100644
index 0000000000..4d845b2f90
--- /dev/null
+++ b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
@@ -0,0 +1,26 @@
+From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 11 Nov 2025 19:47:50 +0100
+Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
+ Ristori for reporting this)
+
+CVE: CVE-2025-68431
+Upstream: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libheif/pixelimage.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
+index f202c61049..84a8dd739e 100644
+--- a/libheif/pixelimage.cc
++++ b/libheif/pixelimage.cc
+@@ -1508,7 +1508,7 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t
+       if (!has_alpha) {
+         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
+                in_p + in_x0 + y * in_stride,
+-               in_w - in_x0);
++               in_w);
+       }
+       else {
+         for (uint32_t x = in_x0; x < in_w; x++) {
diff --git a/package/libheif/libheif.mk b/package/libheif/libheif.mk
index 8d91a109db..325502ad00 100644
--- a/package/libheif/libheif.mk
+++ b/package/libheif/libheif.mk
@@ -23,6 +23,9 @@ LIBHEIF_CONF_OPTS = \
 	-DWITH_REDUCED_VISIBILITY=ON \
 	-DWITH_SvtEnc=OFF
 
+# 0001-fix-wrong-copy-width-in-overlay-images.patch
+LIBHEIF_IGNORE_CVES += CVE-2025-68431
+
 ifeq ($(BR2_PACKAGE_DAV1D),y)
 LIBHEIF_CONF_OPTS += -DWITH_DAV1D=ON
 LIBHEIF_DEPENDENCIES += dav1d
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [2025.02.x, PATCH 2/3] package/libheif: patch CVE-2025-68431

[Thomas Perale via buildroot]

In reply of:
> - CVE-2025-68431:
>     libheif is an HEIF and AVIF file format decoder and encoder. Prior to
>     version 1.21.0, a crafted HEIF that exercises the overlay image item
>     path triggers a heap buffer over-read in `HeifPixelImage::overlay()`.
>     The function computes a negative row length (likely from an unclipped
>     overlay rectangle or invalid offsets), which then underflows when
>     converted to `size_t` and is passed to `memcpy`, causing a very large
>     read past the end of the source plane and a crash. Version 1.21.0
>     contains a patch. As a workaround, avoid decoding images using `iovl`
>     overlay boxes.
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2025-68431
>   - https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  ...x-wrong-copy-width-in-overlay-images.patch | 26 +++++++++++++++++++
>  package/libheif/libheif.mk                    |  3 +++
>  2 files changed, 29 insertions(+)
>  create mode 100644 package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> 
> diff --git a/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> new file mode 100644
> index 0000000000..4d845b2f90
> --- /dev/null
> +++ b/package/libheif/0001-fix-wrong-copy-width-in-overlay-images.patch
> @@ -0,0 +1,26 @@
> +From b8c12a7b70f46c9516711a988483bed377b78d46 Mon Sep 17 00:00:00 2001
> +From: Dirk Farin <dirk.farin@gmail.com>
> +Date: Tue, 11 Nov 2025 19:47:50 +0100
> +Subject: [PATCH] fix wrong copy width in overlay images (thanks to Aldo
> + Ristori for reporting this)
> +
> +CVE: CVE-2025-68431
> +Upstream: https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + libheif/pixelimage.cc | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libheif/pixelimage.cc b/libheif/pixelimage.cc
> +index f202c61049..84a8dd739e 100644
> +--- a/libheif/pixelimage.cc
> ++++ b/libheif/pixelimage.cc
> +@@ -1508,7 +1508,7 @@ Error HeifPixelImage::overlay(std::shared_ptr<HeifPixelImage>& overlay, int32_t
> +       if (!has_alpha) {
> +         memcpy(out_p + out_x0 + (out_y0 + y - in_y0) * out_stride,
> +                in_p + in_x0 + y * in_stride,
> +-               in_w - in_x0);
> ++               in_w);
> +       }
> +       else {
> +         for (uint32_t x = in_x0; x < in_w; x++) {
> diff --git a/package/libheif/libheif.mk b/package/libheif/libheif.mk
> index 8d91a109db..325502ad00 100644
> --- a/package/libheif/libheif.mk
> +++ b/package/libheif/libheif.mk
> @@ -23,6 +23,9 @@ LIBHEIF_CONF_OPTS = \
>  	-DWITH_REDUCED_VISIBILITY=ON \
>  	-DWITH_SvtEnc=OFF
>  
> +# 0001-fix-wrong-copy-width-in-overlay-images.patch
> +LIBHEIF_IGNORE_CVES += CVE-2025-68431
> +
>  ifeq ($(BR2_PACKAGE_DAV1D),y)
>  LIBHEIF_CONF_OPTS += -DWITH_DAV1D=ON
>  LIBHEIF_DEPENDENCIES += dav1d
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [2025.02.x, PATCH 3/3] package/wireshark: security bump to v4.2.14

[Thomas Perale via buildroot]

For more information on the version bump, see:

- https://www.wireshark.org/docs/relnotes/wireshark-4.2.14.html

Fixes the following vulnerability:

- CVE-2025-11626:
    MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to
    4.2.13 allows denial of service

For more information, see:
  - https://www.cve.org/CVERecord?id=CVE-2025-11626

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/wireshark/wireshark.hash | 6 +++---
 package/wireshark/wireshark.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/wireshark/wireshark.hash b/package/wireshark/wireshark.hash
index f1f2f58442..521fea662c 100644
--- a/package/wireshark/wireshark.hash
+++ b/package/wireshark/wireshark.hash
@@ -1,6 +1,6 @@
-# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.2.13.txt
-sha1  e5a08396a98d5dfba4078c66677aacd50d47ec90  wireshark-4.2.13.tar.xz
-sha256  2454aa650276264d23aca28e1b62eb5d4bd12b64aa261d38c06b33f97b8fa3dd  wireshark-4.2.13.tar.xz
+# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.2.14.txt
+sha1  e972062abc0d15db34c3a0186c39511efb29ea34  wireshark-4.2.14.tar.xz
+sha256  098177f021951638f5bdca5b01f284c14fcc3f6c804f7aa2ca00fdcb99c7a166  wireshark-4.2.14.tar.xz
 
 # Locally calculated
 sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYING
diff --git a/package/wireshark/wireshark.mk b/package/wireshark/wireshark.mk
index bd81224ae7..3a92c4cfa4 100644
--- a/package/wireshark/wireshark.mk
+++ b/package/wireshark/wireshark.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WIRESHARK_VERSION = 4.2.13
+WIRESHARK_VERSION = 4.2.14
 WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz
 WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
 WIRESHARK_LICENSE = wireshark license
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [2025.02.x, PATCH 3/3] package/wireshark: security bump to v4.2.14

[Thomas Perale via buildroot]

In reply of:
> For more information on the version bump, see:
> 
> - https://www.wireshark.org/docs/relnotes/wireshark-4.2.14.html
> 
> Fixes the following vulnerability:
> 
> - CVE-2025-11626:
>     MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to
>     4.2.13 allows denial of service
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2025-11626
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  package/wireshark/wireshark.hash | 6 +++---
>  package/wireshark/wireshark.mk   | 2 +-
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/wireshark/wireshark.hash b/package/wireshark/wireshark.hash
> index f1f2f58442..521fea662c 100644
> --- a/package/wireshark/wireshark.hash
> +++ b/package/wireshark/wireshark.hash
> @@ -1,6 +1,6 @@
> -# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.2.13.txt
> -sha1  e5a08396a98d5dfba4078c66677aacd50d47ec90  wireshark-4.2.13.tar.xz
> -sha256  2454aa650276264d23aca28e1b62eb5d4bd12b64aa261d38c06b33f97b8fa3dd  wireshark-4.2.13.tar.xz
> +# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-4.2.14.txt
> +sha1  e972062abc0d15db34c3a0186c39511efb29ea34  wireshark-4.2.14.tar.xz
> +sha256  098177f021951638f5bdca5b01f284c14fcc3f6c804f7aa2ca00fdcb99c7a166  wireshark-4.2.14.tar.xz
>  
>  # Locally calculated
>  sha256  edaef632cbb643e4e7a221717a6c441a4c1a7c918e6e4d56debc3d8739b233f6  COPYING
> diff --git a/package/wireshark/wireshark.mk b/package/wireshark/wireshark.mk
> index bd81224ae7..3a92c4cfa4 100644
> --- a/package/wireshark/wireshark.mk
> +++ b/package/wireshark/wireshark.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -WIRESHARK_VERSION = 4.2.13
> +WIRESHARK_VERSION = 4.2.14
>  WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz
>  WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
>  WIRESHARK_LICENSE = wireshark license
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [2025.02.x, PATCH 1/3] package/mongoose: patch CVE-2025-65502

[Thomas Perale via buildroot]

In reply of:
> - CVE-2025-65502:
>     Null pointer dereference in add_ca_certs() in Cesanta Mongoose before
>     7.2 allows remote attackers to cause a denial of service via TLS
>     initialization where SSL_CTX_get_cert_store() returns NULL.
> 
> For more information, see:
>   - https://www.cve.org/CVERecord?id=CVE-2025-65502
>   - https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  .../mongoose/0001-improve-resiliency.patch    | 37 +++++++++++++++++++
>  package/mongoose/mongoose.mk                  |  3 ++
>  2 files changed, 40 insertions(+)
>  create mode 100644 package/mongoose/0001-improve-resiliency.patch
> 
> diff --git a/package/mongoose/0001-improve-resiliency.patch b/package/mongoose/0001-improve-resiliency.patch
> new file mode 100644
> index 0000000000..edeea4efba
> --- /dev/null
> +++ b/package/mongoose/0001-improve-resiliency.patch
> @@ -0,0 +1,37 @@
> +From 64abf061bf018fd78f31c200a57a3fb04f9f3ef2 Mon Sep 17 00:00:00 2001
> +From: "Sergio R. Caprile" <scaprile@cesanta.com>
> +Date: Mon, 13 Oct 2025 10:43:45 -0300
> +Subject: [PATCH] improve resiliency
> +
> +CVE: CVE-2025-65502
> +Upstream: https://github.com/cesanta/mongoose/commit/64abf061bf018fd78f31c200a57a3fb04f9f3ef2
> +Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> +---
> + mongoose.c        | 1 +
> + src/tls_openssl.c | 1 +
> + 2 files changed, 2 insertions(+)
> +
> +diff --git a/mongoose.c b/mongoose.c
> +index 4c72be8201..f860ab3b07 100644
> +--- a/mongoose.c
> ++++ b/mongoose.c
> +@@ -14581,6 +14581,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
> + static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
> +   int i;
> +   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
> ++  if (cert_store == NULL) return false;
> +   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
> +     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
> +     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
> +diff --git a/src/tls_openssl.c b/src/tls_openssl.c
> +index 37838d95ba..f51d6dd8b7 100644
> +--- a/src/tls_openssl.c
> ++++ b/src/tls_openssl.c
> +@@ -39,6 +39,7 @@ static STACK_OF(X509_INFO) * load_ca_certs(struct mg_str ca) {
> + static bool add_ca_certs(SSL_CTX *ctx, STACK_OF(X509_INFO) * certs) {
> +   int i;
> +   X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx);
> ++  if (cert_store == NULL) return false;
> +   for (i = 0; i < sk_X509_INFO_num(certs); i++) {
> +     X509_INFO *cert_info = sk_X509_INFO_value(certs, i);
> +     if (cert_info->x509 && !X509_STORE_add_cert(cert_store, cert_info->x509))
> diff --git a/package/mongoose/mongoose.mk b/package/mongoose/mongoose.mk
> index 8316a8d59a..02c2ac5626 100644
> --- a/package/mongoose/mongoose.mk
> +++ b/package/mongoose/mongoose.mk
> @@ -13,6 +13,9 @@ MONGOOSE_INSTALL_STAGING = YES
>  # static library
>  MONGOOSE_INSTALL_TARGET = NO
>  
> +# 0001-improve-resiliency.patch
> +MONGOOSE_IGNORE_CVES += CVE-2025-65502
> +
>  MONGOOSE_CFLAGS = $(TARGET_CFLAGS) -std=gnu99
>  
>  ifeq ($(BR2_PACKAGE_OPENSSL),y)
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot