libcoap: patch CVE-2025-59391

Details https://nvd.nist.gov/vuln/detail/CVE-2025-59391

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-59391.patch

@@ -0,0 +1,88 @@
+From 947bead23940cacf081f93c3e29f540e3e867b7b Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Thu, 4 Sep 2025 13:26:06 +0100
+Subject: [PATCH] OSCORE: Fix OSCORE configuration file parsing issue
+
+With a large boolean parameter value, (longer than "false"), memory
+would be read past the "true" or "false" string boundaries in the ".rodata"
+section when doing a memcmp(), potetially causing the application to crash
+when calling coap_new_oscore_conf() with a specially crafted configuration
+file.
+
+It also can provide a mechanism to determine the byte values following the
+"true" or "false" string boundaries which could lead to accessing sensitive
+information. The standard libcoap library does not have defined keys or
+certificates. This can only be done by a specially crafted local application.
+
+Discovered by SecMate (https://secmate.dev).
+
+Now fixed.
+
+CVE: CVE-2025-59391
+Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/da534de75edd1b3628a28908d30b0efbaa01be09]
+(cherry picked from commit da534de75edd1b3628a28908d30b0efbaa01be09)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/coap_oscore.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/coap_oscore.c b/src/coap_oscore.c
+index 2d7dd6d0..723b5ef5 100644
+--- a/src/coap_oscore.c
++++ b/src/coap_oscore.c
+@@ -1675,6 +1675,7 @@ get_split_entry(const char **start,
+   const char *kend;
+   const char *split;
+   size_t i;
++  size_t len;
+ 
+ retry:
+   kend = end = memchr(begin, '\n', size);
+@@ -1751,9 +1752,10 @@ retry:
+     value->u.value_str.length = end - begin;
+     break;
+   case COAP_ENC_BOOL:
+-    if (memcmp("true", begin, end - begin) == 0)
++    len = (size_t)(end - begin);
++    if (len == 4 && memcmp("true", begin, len) == 0)
+       value->u.value_int = 1;
+-    else if (memcmp("false", begin, end - begin) == 0)
++    else if (len == 5 && memcmp("false", begin, len) == 0)
+       value->u.value_int = 0;
+     else
+       goto bad_entry;
+@@ -1768,7 +1770,7 @@ bad_entry:
+   coap_log_warn("oscore_conf: Unrecognized configuration entry '%.*s'\n",
+                 (int)(end - begin),
+                 begin);
+-  return 0;
++  return -1;
+ }
+ 
+ #undef CONFIG_ENTRY
+@@ -1840,6 +1842,7 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+   coap_str_const_t keyword;
+   oscore_value_t value;
+   coap_oscore_conf_t *oscore_conf;
++  int split_ok = -1;
+ 
+   oscore_conf = coap_malloc_type(COAP_STRING, sizeof(coap_oscore_conf_t));
+   if (oscore_conf == NULL)
+@@ -1858,7 +1861,7 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+   oscore_conf->break_recipient_key = 0;
+ 
+   while (end > start &&
+-         get_split_entry(&start, end - start, &keyword, &value)) {
++         (split_ok = get_split_entry(&start, end - start, &keyword, &value)) > 0) {
+     size_t i;
+     size_t j;
+ 
+@@ -1944,6 +1947,8 @@ coap_parse_oscore_conf_mem(coap_str_const_t conf_mem) {
+       goto error;
+     }
+   }
++  if (split_ok == -1)
++    goto error;
+   if (!oscore_conf->master_secret) {
+     coap_log_warn("oscore_conf: master_secret not defined\n");
+     goto error;

meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb

@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
            file://run-ptest \
            file://CVE-2024-0962.patch \
            file://CVE-2024-31031.patch \
+           file://CVE-2025-59391.patch \
            "
 SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"