From: "Yoann Congal" <yoann.congal@smile.fr>
To: <hprajapati@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467
Date: Thu, 19 Feb 2026 11:02:02 +0100 [thread overview]
Message-ID: <DGIUOKEX70I8.H1SWS5I9XCLT@smile.fr> (raw)
In-Reply-To: <20260130054350.300667-1-hprajapati@mvista.com>
Hello,
On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
The Upstream-Status line is only useful in patches, not in commit
message body.
Can you add a justification as to why this patch does fix the CVE? (This
applies generally to all CVE patches). In this case, something like:
Backport patch from NVD report: https://nvd.nist.gov/vuln/detail/CVE-2025-15467
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../openssl/openssl/CVE-2025-15467-01.patch | 40 ++++++
> .../openssl/openssl/CVE-2025-15467-02.patch | 65 +++++++++
> .../openssl/openssl/CVE-2025-15467-03.patch | 128 ++++++++++++++++++
> .../openssl/openssl_3.2.6.bb | 3 +
> 4 files changed, 236 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
> new file mode 100644
> index 0000000000..55809d4c03
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
> @@ -0,0 +1,40 @@
> +From ce39170276daec87f55c39dad1f629b56344429e Mon Sep 17 00:00:00 2001
> +From: Igor Ustinov <igus68@gmail.com>
> +Date: Mon, 12 Jan 2026 12:19:59 +0100
> +Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long
> + IV
> +
> +Fixes CVE-2025-15467
> +
> +Reviewed-by: Norbert Pocs <norbertp@openssl.org>
> +Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
> +Reviewed-by: Tomas Mraz <tomas@openssl.org>
> +MergeDate: Mon Jan 26 19:34:29 2026
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + crypto/evp/evp_lib.c | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
> +index f29d592..df38677 100644
> +--- a/crypto/evp/evp_lib.c
> ++++ b/crypto/evp/evp_lib.c
> +@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
> + if (type == NULL || asn1_params == NULL)
> + return 0;
> +
> +- i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
> +- if (i <= 0)
> ++ i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
> ++ if (i <= 0 || i > EVP_MAX_IV_LENGTH)
> + return -1;
> +- ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
> +
> + memcpy(asn1_params->iv, iv, i);
> + asn1_params->iv_len = i;
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
> new file mode 100644
> index 0000000000..52557bcaab
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
> @@ -0,0 +1,65 @@
> +From cdccf8f2ef17ae020bd69360c43a39306b89c381 Mon Sep 17 00:00:00 2001
> +From: Igor Ustinov <igus68@gmail.com>
> +Date: Mon, 12 Jan 2026 12:21:21 +0100
> +Subject: [PATCH] Some comments to clarify functions usage
Why do you backport a patch adding comments only?
> +
> +Reviewed-by: Norbert Pocs <norbertp@openssl.org>
> +Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
> +Reviewed-by: Tomas Mraz <tomas@openssl.org>
> +MergeDate: Mon Jan 26 19:34:31 2026
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
> + 1 file changed, 20 insertions(+)
> +
> +diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
> +index 13d8ed3..6aca011 100644
> +--- a/crypto/asn1/evp_asn1.c
> ++++ b/crypto/asn1/evp_asn1.c
> +@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
> + oct->flags = 0;
> + }
> +
> ++/*
> ++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
> + long *num, unsigned char *data, int max_len)
> + {
> +@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
> + return 0;
> + }
> +
> ++/*
> ++ * This function decodes an int-octet sequence and copies the integer to 'num'
> ++ * and the data of octet to 'data'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
> + unsigned char *data, int max_len)
> + {
> +@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
> + return 0;
> + }
> +
> ++/*
> ++ * This function decodes an octet-int sequence and copies the data of octet
> ++ * to 'data' and the integer to 'num'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
> + unsigned char *data, int max_len)
> + {
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
> new file mode 100644
> index 0000000000..8a2923d8fd
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
> @@ -0,0 +1,128 @@
> +From 31bf9ffbba8dce368cd2e47fbc77bdeee92a0699 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <hprajapati@mvista.com>
> +Date: Fri, 30 Jan 2026 10:32:18 +0530
> +Subject: [PATCH 3/3]
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + test/cmsapitest.c | 39 ++++++++++++++++++-
> + test/recipes/80-test_cmsapi.t | 3 +-
> + .../encDataWithTooLongIV.pem | 11 ++++++
> + 3 files changed, 50 insertions(+), 3 deletions(-)
> + create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +
> +diff --git a/test/cmsapitest.c b/test/cmsapitest.c
> +index 5839eb7..ab412d3 100644
> +--- a/test/cmsapitest.c
> ++++ b/test/cmsapitest.c
> +@@ -9,10 +9,10 @@
> +
> + #include <string.h>
> +
> ++#include <openssl/pem.h>
> + #include <openssl/cms.h>
> + #include <openssl/bio.h>
> + #include <openssl/x509.h>
> +-#include <openssl/pem.h>
> + #include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */
> +
> + #include "testutil.h"
> +@@ -20,6 +20,7 @@
> + static X509 *cert = NULL;
> + static EVP_PKEY *privkey = NULL;
> + static char *derin = NULL;
> ++static char *too_long_iv_cms_in = NULL;
> +
> + static int test_encrypt_decrypt(const EVP_CIPHER *cipher)
> + {
> +@@ -382,6 +383,38 @@ end:
> + return ret;
> + }
> +
> ++static int test_cms_aesgcm_iv_too_long(void)
> ++{
> ++ int ret = 0;
> ++ BIO *cmsbio = NULL, *out = NULL;
> ++ CMS_ContentInfo *cms = NULL;
> ++ unsigned long err = 0;
> ++
> ++ if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r")))
> ++ goto end;
> ++
> ++ if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL)))
> ++ goto end;
> ++
> ++ /* Must fail cleanly (no crash) */
> ++ if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0)))
> ++ goto end;
> ++ err = ERR_peek_last_error();
> ++ if (!TEST_ulong_ne(err, 0))
> ++ goto end;
> ++ if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS))
> ++ goto end;
> ++ if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR))
> ++ goto end;
> ++
> ++ ret = 1;
> ++end:
> ++ CMS_ContentInfo_free(cms);
> ++ BIO_free(cmsbio);
> ++ BIO_free(out);
> ++ return ret;
> ++}
> ++
> + OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n")
> +
> + int setup_tests(void)
> +@@ -396,7 +429,8 @@ int setup_tests(void)
> +
> + if (!TEST_ptr(certin = test_get_argument(0))
> + || !TEST_ptr(privkeyin = test_get_argument(1))
> +- || !TEST_ptr(derin = test_get_argument(2)))
> ++ || !TEST_ptr(derin = test_get_argument(2))
> ++ || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)))
> + return 0;
> +
> + certbio = BIO_new_file(certin, "r");
> +@@ -429,6 +463,7 @@ int setup_tests(void)
> + ADD_TEST(test_CMS_add1_cert);
> + ADD_TEST(test_d2i_CMS_bio_NULL);
> + ADD_ALL_TESTS(test_d2i_CMS_decode, 2);
> ++ ADD_TEST(test_cms_aesgcm_iv_too_long);
> + return 1;
> + }
> +
> +diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t
> +index af00355..182629e 100644
> +--- a/test/recipes/80-test_cmsapi.t
> ++++ b/test/recipes/80-test_cmsapi.t
> +@@ -18,5 +18,6 @@ plan tests => 1;
> +
> + ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
> + srctop_file("test", "certs", "serverkey.pem"),
> +- srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])),
> ++ srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"),
> ++ srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])),
> + "running cmsapitest");
> +diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +new file mode 100644
> +index 0000000..4323cd2
> +--- /dev/null
> ++++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +@@ -0,0 +1,11 @@
> ++-----BEGIN CMS-----
> ++MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G
> ++A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V
> ++b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV
> ++NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd
> ++sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2
> ++CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu
> ++GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P
> ++AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl
> ++paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO
> ++-----END CMS-----
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> index 4756f5aaa6..fac62245d7 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> @@ -13,6 +13,9 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
> file://0001-Configure-do-not-tweak-mips-cflags.patch \
> file://0001-Added-handshake-history-reporting-when-test-fails.patch \
> file://CVE-2024-41996.patch \
> + file://CVE-2025-15467-01.patch \
> + file://CVE-2025-15467-02.patch \
> + file://CVE-2025-15467-03.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
Can you send a v2 with the above comments fixed?
Thanks!
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-02-19 10:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-30 5:43 [scarthgap][PATCH] openssl: fix CVE-2025-15467 Hitendra Prajapati
2026-02-04 16:49 ` [OE-core] " Yoann Congal
2026-02-04 17:11 ` Marko, Peter
2026-02-04 17:29 ` Yoann Congal
2026-02-19 10:02 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGIUOKEX70I8.H1SWS5I9XCLT@smile.fr \
--to=yoann.congal@smile.fr \
--cc=hprajapati@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox