From: "Yoann Congal" <yoann.congal@smile.fr>
To: <hprajapati@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [scarthgap][PATCH] openssl: fix CVE-2025-69419
Date: Thu, 19 Feb 2026 12:17:19 +0100 [thread overview]
Message-ID: <DGIWA7GSISDW.3QYV0Q83SWJWY@smile.fr> (raw)
In-Reply-To: <20260202123511.540058-1-hprajapati@mvista.com>
On Mon Feb 2, 2026 at 1:35 PM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296
Same remark as https://lists.openembedded.org/g/openembedded-core/topic/117540534#msg231419
Can you send a V2 with an improved commit message please? Content of the
patch looks good.
Thanks!
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> .../openssl/openssl/CVE-2025-69419.patch | 61 +++++++++++++++++++
> .../openssl/openssl_3.2.6.bb | 1 +
> 2 files changed, 62 insertions(+)
> create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
> new file mode 100644
> index 0000000000..dcfdba82ac
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
> @@ -0,0 +1,61 @@
> +From 41be0f216404f14457bbf3b9cc488dba60b49296 Mon Sep 17 00:00:00 2001
> +From: Norbert Pocs <norbertp@openssl.org>
> +Date: Thu, 11 Dec 2025 12:49:00 +0100
> +Subject: [PATCH] Check return code of UTF8_putc
> +
> +Signed-off-by: Norbert Pocs <norbertp@openssl.org>
> +
> +Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
> +Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
> +(Merged from https://github.com/openssl/openssl/pull/29376)
> +
> +CVE: CVE-2025-69419
> +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + crypto/asn1/a_strex.c | 6 ++++--
> + crypto/pkcs12/p12_utl.c | 11 +++++++++--
> + 2 files changed, 13 insertions(+), 4 deletions(-)
> +
> +diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
> +index f64e352..7d76700 100644
> +--- a/crypto/asn1/a_strex.c
> ++++ b/crypto/asn1/a_strex.c
> +@@ -204,8 +204,10 @@ static int do_buf(unsigned char *buf, int buflen,
> + orflags = CHARTYPE_LAST_ESC_2253;
> + if (type & BUF_TYPE_CONVUTF8) {
> + unsigned char utfbuf[6];
> +- int utflen;
> +- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
> ++ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
> ++
> ++ if (utflen < 0)
> ++ return -1; /* error happened with UTF8 */
> + for (i = 0; i < utflen; i++) {
> + /*
> + * We don't need to worry about setting orflags correctly
> +diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
> +index a96623f..b109dab 100644
> +--- a/crypto/pkcs12/p12_utl.c
> ++++ b/crypto/pkcs12/p12_utl.c
> +@@ -206,8 +206,15 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
> + /* re-run the loop emitting UTF-8 string */
> + for (asclen = 0, i = 0; i < unilen; ) {
> + j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
> +- if (j == 4) i += 4;
> +- else i += 2;
> ++ /* when UTF8_putc fails */
> ++ if (j < 0) {
> ++ OPENSSL_free(asctmp);
> ++ return NULL;
> ++ }
> ++ if (j == 4)
> ++ i += 4;
> ++ else
> ++ i += 2;
> + asclen += j;
> + }
> +
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> index 4fd13d52fe..88fa0285cd 100644
> --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
> @@ -17,6 +17,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
> file://CVE-2025-15467-02.patch \
> file://CVE-2025-15467-03.patch \
> file://CVE-2025-15468.patch \
> + file://CVE-2025-69419.patch \
> "
>
> SRC_URI:append:class-nativesdk = " \
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-02-19 11:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-02 12:35 [scarthgap][PATCH] openssl: fix CVE-2025-69419 Hitendra Prajapati
2026-02-04 17:06 ` [OE-core] " Yoann Congal
2026-02-19 11:17 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGIWA7GSISDW.3QYV0Q83SWJWY@smile.fr \
--to=yoann.congal@smile.fr \
--cc=hprajapati@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox