[scarthgap][PATCH] openssl: fix CVE-2025-15467

[scarthgap][PATCH] openssl: fix CVE-2025-15467

[Hitendra Prajapati]

Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 .../openssl/openssl/CVE-2025-15467-01.patch   |  40 ++++++
 .../openssl/openssl/CVE-2025-15467-02.patch   |  65 +++++++++
 .../openssl/openssl/CVE-2025-15467-03.patch   | 128 ++++++++++++++++++
 .../openssl/openssl_3.2.6.bb                  |   3 +
 4 files changed, 236 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
new file mode 100644
index 0000000000..55809d4c03
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
@@ -0,0 +1,40 @@
+From ce39170276daec87f55c39dad1f629b56344429e Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:19:59 +0100
+Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long
+ IV
+
+Fixes CVE-2025-15467
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:34:29 2026
+
+CVE: CVE-2025-15467
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ crypto/evp/evp_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
+index f29d592..df38677 100644
+--- a/crypto/evp/evp_lib.c
++++ b/crypto/evp/evp_lib.c
+@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+     if (type == NULL || asn1_params == NULL)
+         return 0;
+ 
+-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
+-    if (i <= 0)
++    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
++    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
+         return -1;
+-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
+ 
+     memcpy(asn1_params->iv, iv, i);
+     asn1_params->iv_len = i;
+-- 
+2.50.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
new file mode 100644
index 0000000000..52557bcaab
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
@@ -0,0 +1,65 @@
+From cdccf8f2ef17ae020bd69360c43a39306b89c381 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:21:21 +0100
+Subject: [PATCH] Some comments to clarify functions usage
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:34:31 2026
+
+CVE: CVE-2025-15467
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
+index 13d8ed3..6aca011 100644
+--- a/crypto/asn1/evp_asn1.c
++++ b/crypto/asn1/evp_asn1.c
+@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
+     oct->flags = 0;
+ }
+ 
++/*
++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
+                                  long *num, unsigned char *data, int max_len)
+ {
+@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an int-octet sequence and copies the integer to 'num'
++ * and the data of octet to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
+                                   unsigned char *data, int max_len)
+ {
+@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an octet-int sequence and copies the data of octet
++ * to 'data' and the integer to 'num'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
+                                        unsigned char *data, int max_len)
+ {
+-- 
+2.50.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
new file mode 100644
index 0000000000..8a2923d8fd
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
@@ -0,0 +1,128 @@
+From 31bf9ffbba8dce368cd2e47fbc77bdeee92a0699 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Fri, 30 Jan 2026 10:32:18 +0530
+Subject: [PATCH 3/3] 
+
+CVE: CVE-2025-15467
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ test/cmsapitest.c                             | 39 ++++++++++++++++++-
+ test/recipes/80-test_cmsapi.t                 |  3 +-
+ .../encDataWithTooLongIV.pem                  | 11 ++++++
+ 3 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+
+diff --git a/test/cmsapitest.c b/test/cmsapitest.c
+index 5839eb7..ab412d3 100644
+--- a/test/cmsapitest.c
++++ b/test/cmsapitest.c
+@@ -9,10 +9,10 @@
+ 
+ #include <string.h>
+ 
++#include <openssl/pem.h>
+ #include <openssl/cms.h>
+ #include <openssl/bio.h>
+ #include <openssl/x509.h>
+-#include <openssl/pem.h>
+ #include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */
+ 
+ #include "testutil.h"
+@@ -20,6 +20,7 @@
+ static X509 *cert = NULL;
+ static EVP_PKEY *privkey = NULL;
+ static char *derin = NULL;
++static char *too_long_iv_cms_in = NULL;
+ 
+ static int test_encrypt_decrypt(const EVP_CIPHER *cipher)
+ {
+@@ -382,6 +383,38 @@ end:
+     return ret;
+ }
+ 
++static int test_cms_aesgcm_iv_too_long(void)
++{
++    int ret = 0;
++    BIO *cmsbio = NULL, *out = NULL;
++    CMS_ContentInfo *cms = NULL;
++    unsigned long err = 0;
++
++    if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r")))
++        goto end;
++
++    if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL)))
++        goto end;
++
++    /* Must fail cleanly (no crash) */
++    if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0)))
++        goto end;
++    err = ERR_peek_last_error();
++    if (!TEST_ulong_ne(err, 0))
++        goto end;
++    if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS))
++        goto end;
++    if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR))
++        goto end;
++
++    ret = 1;
++end:
++    CMS_ContentInfo_free(cms);
++    BIO_free(cmsbio);
++    BIO_free(out);
++    return ret;
++}
++
+ OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n")
+ 
+ int setup_tests(void)
+@@ -396,7 +429,8 @@ int setup_tests(void)
+ 
+     if (!TEST_ptr(certin = test_get_argument(0))
+             || !TEST_ptr(privkeyin = test_get_argument(1))
+-            || !TEST_ptr(derin = test_get_argument(2)))
++            || !TEST_ptr(derin = test_get_argument(2))
++            || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)))
+         return 0;
+ 
+     certbio = BIO_new_file(certin, "r");
+@@ -429,6 +463,7 @@ int setup_tests(void)
+     ADD_TEST(test_CMS_add1_cert);
+     ADD_TEST(test_d2i_CMS_bio_NULL);
+     ADD_ALL_TESTS(test_d2i_CMS_decode, 2);
++    ADD_TEST(test_cms_aesgcm_iv_too_long);
+     return 1;
+ }
+ 
+diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t
+index af00355..182629e 100644
+--- a/test/recipes/80-test_cmsapi.t
++++ b/test/recipes/80-test_cmsapi.t
+@@ -18,5 +18,6 @@ plan tests => 1;
+ 
+ ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
+              srctop_file("test", "certs", "serverkey.pem"),
+-             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])),
++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"),
++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])),
+              "running cmsapitest");
+diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+new file mode 100644
+index 0000000..4323cd2
+--- /dev/null
++++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+@@ -0,0 +1,11 @@
++-----BEGIN CMS-----
++MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G
++A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V
++b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV
++NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd
++sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2
++CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu
++GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P
++AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl
++paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO
++-----END CMS-----
+-- 
+2.50.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
index 4756f5aaa6..fac62245d7 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
@@ -13,6 +13,9 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
            file://CVE-2024-41996.patch \
+           file://CVE-2025-15467-01.patch \
+           file://CVE-2025-15467-02.patch \
+           file://CVE-2025-15467-03.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.50.1

Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467

[Yoann Congal]

On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../openssl/openssl/CVE-2025-15467-01.patch   |  40 ++++++
>  .../openssl/openssl/CVE-2025-15467-02.patch   |  65 +++++++++
>  .../openssl/openssl/CVE-2025-15467-03.patch   | 128 ++++++++++++++++++
>  .../openssl/openssl_3.2.6.bb                  |   3 +
>  4 files changed, 236 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch

Hello,

Thanks for the patch.

As far as I can tell, CVE-2025-15467 does also impact whinlatter. Can you
send a fix there (either by then backport or maybe an upgrade?)

Thanks!
-- 
Yoann Congal
Smile ECS

RE: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467

[Marko, Peter]

Whinlatter should take openssl upgrade instead of patches.
https://lists.openembedded.org/g/openembedded-core/message/230229
It is now merged to master so that blocked is gone and it can be taken.

Peter

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Yoann Congal via lists.openembedded.org
Sent: Wednesday, February 4, 2026 17:50
To: hprajapati@mvista.com; openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467

On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../openssl/openssl/CVE-2025-15467-01.patch   |  40 ++++++
>  .../openssl/openssl/CVE-2025-15467-02.patch   |  65 +++++++++
>  .../openssl/openssl/CVE-2025-15467-03.patch   | 128 ++++++++++++++++++
>  .../openssl/openssl_3.2.6.bb                  |   3 +
>  4 files changed, 236 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch

Hello,

Thanks for the patch.

As far as I can tell, CVE-2025-15467 does also impact whinlatter. Can you
send a fix there (either by then backport or maybe an upgrade?)

Thanks!
-- 
Yoann Congal
Smile ECS

Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467

[Yoann Congal]

On Wed Feb 4, 2026 at 6:11 PM CET, Peter Marko wrote:
> Whinlatter should take openssl upgrade instead of patches.
> https://lists.openembedded.org/g/openembedded-core/message/230229
> It is now merged to master so that blocked is gone and it can be taken.
>
> Peter

Yes. Thanks Peter.

I'll will take that patch for the next whinlatter cycle and, then, taking
those scarthgap openssl backports.


> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Yoann Congal via lists.openembedded.org
> Sent: Wednesday, February 4, 2026 17:50
> To: hprajapati@mvista.com; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467
>
> On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
>> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f
>>
>> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
>> ---
>>  .../openssl/openssl/CVE-2025-15467-01.patch   |  40 ++++++
>>  .../openssl/openssl/CVE-2025-15467-02.patch   |  65 +++++++++
>>  .../openssl/openssl/CVE-2025-15467-03.patch   | 128 ++++++++++++++++++
>>  .../openssl/openssl_3.2.6.bb                  |   3 +
>>  4 files changed, 236 insertions(+)
>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
>
> Hello,
>
> Thanks for the patch.
>
> As far as I can tell, CVE-2025-15467 does also impact whinlatter. Can you
> send a fix there (either by then backport or maybe an upgrade?)
>
> Thanks!


-- 
Yoann Congal
Smile ECS

Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-15467

[Yoann Congal]

Hello,

On Fri Jan 30, 2026 at 6:43 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e && https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381 && https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f

The Upstream-Status line is only useful in patches, not in commit
message body.

Can you add a justification as to why this patch does fix the CVE? (This
applies generally to all CVE patches). In this case, something like:
Backport patch from NVD report: https://nvd.nist.gov/vuln/detail/CVE-2025-15467

>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
>  .../openssl/openssl/CVE-2025-15467-01.patch   |  40 ++++++
>  .../openssl/openssl/CVE-2025-15467-02.patch   |  65 +++++++++
>  .../openssl/openssl/CVE-2025-15467-03.patch   | 128 ++++++++++++++++++
>  .../openssl/openssl_3.2.6.bb                  |   3 +
>  4 files changed, 236 insertions(+)
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
> new file mode 100644
> index 0000000000..55809d4c03
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-01.patch
> @@ -0,0 +1,40 @@
> +From ce39170276daec87f55c39dad1f629b56344429e Mon Sep 17 00:00:00 2001
> +From: Igor Ustinov <igus68@gmail.com>
> +Date: Mon, 12 Jan 2026 12:19:59 +0100
> +Subject: [PATCH] Correct handling of AEAD-encrypted CMS with inadmissibly long
> + IV
> +
> +Fixes CVE-2025-15467
> +
> +Reviewed-by: Norbert Pocs <norbertp@openssl.org>
> +Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
> +Reviewed-by: Tomas Mraz <tomas@openssl.org>
> +MergeDate: Mon Jan 26 19:34:29 2026
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ce39170276daec87f55c39dad1f629b56344429e]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + crypto/evp/evp_lib.c | 5 ++---
> + 1 file changed, 2 insertions(+), 3 deletions(-)
> +
> +diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
> +index f29d592..df38677 100644
> +--- a/crypto/evp/evp_lib.c
> ++++ b/crypto/evp/evp_lib.c
> +@@ -249,10 +249,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
> +     if (type == NULL || asn1_params == NULL)
> +         return 0;
> + 
> +-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
> +-    if (i <= 0)
> ++    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
> ++    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
> +         return -1;
> +-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
> + 
> +     memcpy(asn1_params->iv, iv, i);
> +     asn1_params->iv_len = i;
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
> new file mode 100644
> index 0000000000..52557bcaab
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-02.patch
> @@ -0,0 +1,65 @@
> +From cdccf8f2ef17ae020bd69360c43a39306b89c381 Mon Sep 17 00:00:00 2001
> +From: Igor Ustinov <igus68@gmail.com>
> +Date: Mon, 12 Jan 2026 12:21:21 +0100
> +Subject: [PATCH] Some comments to clarify functions usage

Why do you backport a patch adding comments only?

> +
> +Reviewed-by: Norbert Pocs <norbertp@openssl.org>
> +Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
> +Reviewed-by: Tomas Mraz <tomas@openssl.org>
> +MergeDate: Mon Jan 26 19:34:31 2026
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/cdccf8f2ef17ae020bd69360c43a39306b89c381]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
> + 1 file changed, 20 insertions(+)
> +
> +diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
> +index 13d8ed3..6aca011 100644
> +--- a/crypto/asn1/evp_asn1.c
> ++++ b/crypto/asn1/evp_asn1.c
> +@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
> +     oct->flags = 0;
> + }
> + 
> ++/*
> ++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
> +                                  long *num, unsigned char *data, int max_len)
> + {
> +@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
> +     return 0;
> + }
> + 
> ++/*
> ++ * This function decodes an int-octet sequence and copies the integer to 'num'
> ++ * and the data of octet to 'data'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
> +                                   unsigned char *data, int max_len)
> + {
> +@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
> +     return 0;
> + }
> + 
> ++/*
> ++ * This function decodes an octet-int sequence and copies the data of octet
> ++ * to 'data' and the integer to 'num'.
> ++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
> ++ * bytes, but returns the full length of 'oct'; this allows distinguishing
> ++ * whether all the data was copied.
> ++ */
> + int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
> +                                        unsigned char *data, int max_len)
> + {
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
> new file mode 100644
> index 0000000000..8a2923d8fd
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15467-03.patch
> @@ -0,0 +1,128 @@
> +From 31bf9ffbba8dce368cd2e47fbc77bdeee92a0699 Mon Sep 17 00:00:00 2001
> +From: Hitendra Prajapati <hprajapati@mvista.com>
> +Date: Fri, 30 Jan 2026 10:32:18 +0530
> +Subject: [PATCH 3/3] 
> +
> +CVE: CVE-2025-15467
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e0666f72294691a808443970b654412a6d92fa0f]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + test/cmsapitest.c                             | 39 ++++++++++++++++++-
> + test/recipes/80-test_cmsapi.t                 |  3 +-
> + .../encDataWithTooLongIV.pem                  | 11 ++++++
> + 3 files changed, 50 insertions(+), 3 deletions(-)
> + create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +
> +diff --git a/test/cmsapitest.c b/test/cmsapitest.c
> +index 5839eb7..ab412d3 100644
> +--- a/test/cmsapitest.c
> ++++ b/test/cmsapitest.c
> +@@ -9,10 +9,10 @@
> + 
> + #include <string.h>
> + 
> ++#include <openssl/pem.h>
> + #include <openssl/cms.h>
> + #include <openssl/bio.h>
> + #include <openssl/x509.h>
> +-#include <openssl/pem.h>
> + #include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */
> + 
> + #include "testutil.h"
> +@@ -20,6 +20,7 @@
> + static X509 *cert = NULL;
> + static EVP_PKEY *privkey = NULL;
> + static char *derin = NULL;
> ++static char *too_long_iv_cms_in = NULL;
> + 
> + static int test_encrypt_decrypt(const EVP_CIPHER *cipher)
> + {
> +@@ -382,6 +383,38 @@ end:
> +     return ret;
> + }
> + 
> ++static int test_cms_aesgcm_iv_too_long(void)
> ++{
> ++    int ret = 0;
> ++    BIO *cmsbio = NULL, *out = NULL;
> ++    CMS_ContentInfo *cms = NULL;
> ++    unsigned long err = 0;
> ++
> ++    if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r")))
> ++        goto end;
> ++
> ++    if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL)))
> ++        goto end;
> ++
> ++    /* Must fail cleanly (no crash) */
> ++    if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0)))
> ++        goto end;
> ++    err = ERR_peek_last_error();
> ++    if (!TEST_ulong_ne(err, 0))
> ++        goto end;
> ++    if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS))
> ++        goto end;
> ++    if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR))
> ++        goto end;
> ++
> ++    ret = 1;
> ++end:
> ++    CMS_ContentInfo_free(cms);
> ++    BIO_free(cmsbio);
> ++    BIO_free(out);
> ++    return ret;
> ++}
> ++
> + OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n")
> + 
> + int setup_tests(void)
> +@@ -396,7 +429,8 @@ int setup_tests(void)
> + 
> +     if (!TEST_ptr(certin = test_get_argument(0))
> +             || !TEST_ptr(privkeyin = test_get_argument(1))
> +-            || !TEST_ptr(derin = test_get_argument(2)))
> ++            || !TEST_ptr(derin = test_get_argument(2))
> ++            || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)))
> +         return 0;
> + 
> +     certbio = BIO_new_file(certin, "r");
> +@@ -429,6 +463,7 @@ int setup_tests(void)
> +     ADD_TEST(test_CMS_add1_cert);
> +     ADD_TEST(test_d2i_CMS_bio_NULL);
> +     ADD_ALL_TESTS(test_d2i_CMS_decode, 2);
> ++    ADD_TEST(test_cms_aesgcm_iv_too_long);
> +     return 1;
> + }
> + 
> +diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t
> +index af00355..182629e 100644
> +--- a/test/recipes/80-test_cmsapi.t
> ++++ b/test/recipes/80-test_cmsapi.t
> +@@ -18,5 +18,6 @@ plan tests => 1;
> + 
> + ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
> +              srctop_file("test", "certs", "serverkey.pem"),
> +-             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])),
> ++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"),
> ++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])),
> +              "running cmsapitest");
> +diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +new file mode 100644
> +index 0000000..4323cd2
> +--- /dev/null
> ++++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
> +@@ -0,0 +1,11 @@
> ++-----BEGIN CMS-----
> ++MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G
> ++A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V
> ++b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV
> ++NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd
> ++sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2
> ++CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu
> ++GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P
> ++AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl
> ++paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO
> ++-----END CMS-----
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> index 4756f5aaa6..fac62245d7 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> @@ -13,6 +13,9 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
>             file://0001-Configure-do-not-tweak-mips-cflags.patch \
>             file://0001-Added-handshake-history-reporting-when-test-fails.patch \
>             file://CVE-2024-41996.patch \
> +           file://CVE-2025-15467-01.patch \
> +           file://CVE-2025-15467-02.patch \
> +           file://CVE-2025-15467-03.patch \
>             "
>  
>  SRC_URI:append:class-nativesdk = " \


Can you send a v2 with the above comments fixed?
Thanks!
-- 
Yoann Congal
Smile ECS