From b7180060eb8a1da2731a74c9b66ea1a3050143cd Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Wed, 24 Dec 2025 13:53:26 +0100 Subject: [PATCH] wolfssl: patch CVE-2025-7395 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport the patches from the PR[1] that is referenced by the project's changelog[2] to fix this issue. [1]: https://github.com/wolfSSL/wolfssl/pull/8833 [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- .../wolfssl/files/CVE-2025-7395-1.patch | 84 +++++++++++++++++++ .../wolfssl/files/CVE-2025-7395-2.patch | 27 ++++++ .../wolfssl/files/CVE-2025-7395-3.patch | 25 ++++++ .../wolfssl/wolfssl_5.7.2.bb | 10 ++- 4 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch new file mode 100644 index 0000000000..9c661d6b57 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch @@ -0,0 +1,84 @@ +From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001 +From: Ruby Martin +Date: Mon, 2 Jun 2025 16:38:32 -0600 +Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION, + domain name checking + +CVE: CVE-2025-7395 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f] +Signed-off-by: Gyorgy Sarvari +--- + src/internal.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/internal.c b/src/internal.c +index 6bbd38fa8..2b090382f 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS + #include + #include + #include +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs, + int totalCerts); + #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ + +@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, + * into wolfSSL, try to validate against the system certificates + * using Apple's native trust APIs */ + if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { +- if (DoAppleNativeCertValidation(args->certs, ++ if (DoAppleNativeCertValidation(ssl, args->certs, + args->totalCerts)) { + WOLFSSL_MSG("Apple native cert chain validation SUCCESS"); + ret = 0; +@@ -41246,7 +41246,8 @@ cleanup: + * wolfSSL's built-in certificate validation mechanisms anymore. We instead + * must call into the Security Framework APIs to authenticate peer certificates + */ +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, ++ const WOLFSSL_BUFFER_INFO* certs, + int totalCerts) + { + int i; +@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, + CFMutableArrayRef certArray = NULL; + SecCertificateRef secCert = NULL; + SecTrustRef trust = NULL; +- SecPolicyRef policy = NULL ; ++ SecPolicyRef policy = NULL; ++ CFStringRef hostname = NULL; + + WOLFSSL_ENTER("DoAppleNativeCertValidation"); + +@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, + } + + /* Create trust object for SecCertifiate Ref */ +- policy = SecPolicyCreateSSL(true, NULL); ++ if (ssl->buffers.domainName.buffer && ++ ssl->buffers.domainName.length > 0) { ++ /* Create policy with specified value to require host name match */ ++ hostname = CFStringCreateWithCString(kCFAllocatorDefault, ++ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8); ++ } ++ if (hostname != NULL) { ++ policy = SecPolicyCreateSSL(true, hostname); ++ } else { ++ policy = SecPolicyCreateSSL(true, NULL); ++ } + status = SecTrustCreateWithCertificates(certArray, policy, &trust); + if (status != errSecSuccess) { + WOLFSSL_MSG_EX("Error creating trust object, " +@@ -41314,6 +41326,9 @@ cleanup: + if (policy) { + CFRelease(policy); + } ++ if (hostname) { ++ CFRelease(hostname); ++ } + + WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret); + diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch new file mode 100644 index 0000000000..857f6bb367 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch @@ -0,0 +1,27 @@ +From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001 +From: Brett +Date: Wed, 4 Jun 2025 15:48:15 -0600 +Subject: [PATCH] prevent apple native cert validation from overriding error + codes other than ASN_NO_SIGNER_E + +CVE: CVE-2025-7395 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050] +Signed-off-by: Gyorgy Sarvari +--- + src/internal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/internal.c b/src/internal.c +index 2b090382f..79f584a0a 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, + /* If we can't validate the peer cert chain against the CAs loaded + * into wolfSSL, try to validate against the system certificates + * using Apple's native trust APIs */ +- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { ++ if ((ret == ASN_NO_SIGNER_E) && ++ (ssl->ctx->doAppleNativeCertValidationFlag)) { + if (DoAppleNativeCertValidation(ssl, args->certs, + args->totalCerts)) { + WOLFSSL_MSG("Apple native cert chain validation SUCCESS"); diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch new file mode 100644 index 0000000000..a7e1c336f3 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch @@ -0,0 +1,25 @@ +From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001 +From: Brett +Date: Wed, 4 Jun 2025 16:56:16 -0600 +Subject: [PATCH] add missing error trace macro + +CVE: CVE-2025-7395 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b] +Signed-off-by: Gyorgy Sarvari +--- + src/internal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/internal.c b/src/internal.c +index 79f584a0a..5557b5698 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, + /* If we can't validate the peer cert chain against the CAs loaded + * into wolfSSL, try to validate against the system certificates + * using Apple's native trust APIs */ +- if ((ret == ASN_NO_SIGNER_E) && ++ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) && + (ssl->ctx->doAppleNativeCertValidationFlag)) { + if (DoAppleNativeCertValidation(ssl, args->certs, + args->totalCerts)) { diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb index 8f484d6098..5e66c8b186 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb @@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" PROVIDES += "cyassl" RPROVIDES:${PN} = "cyassl" -SRC_URI = " \ - git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ - file://run-ptest \ -" +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ + file://run-ptest \ + file://CVE-2025-7395-1.patch \ + file://CVE-2025-7395-2.patch \ + file://CVE-2025-7395-3.patch \ + " SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" S = "${WORKDIR}/git"