Skip to content

[AutoPR- Security] Patch edk2 for CVE-2026-22795 [MEDIUM] #15749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
azurelinux-security wants to merge 1 commit into from
Closed

[AutoPR- Security] Patch edk2 for CVE-2026-22795 [MEDIUM] #15749

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions SPECS/edk2/CVE-2026-22795.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
From 3a7b43217ae244f8ae9647763817faf2a3334bf1 Mon Sep 17 00:00:00 2001
From: Bob Beck <beck@openssl.org>
Date: Wed, 7 Jan 2026 11:29:48 -0700
Subject: [PATCH] Ensure ASN1 types are checked before use.

Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
this fix includes the other fixes in that commit, as well as fixes for others found by a scan
for a similar unvalidated access paradigm in the tree.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29582)

Signed-off-by: rpm-build <rpm-build>
Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch
---
CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c | 3 ++-
.../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c | 10 ++++++++--
.../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 2 ++
3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
index 83b3fc9..99f7eb0 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
@@ -2688,8 +2688,9 @@ int s_client_main(int argc, char **argv)
goto end;
}
atyp = ASN1_generate_nconf(genstr, cnf);
- if (atyp == NULL) {
+ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
NCONF_free(cnf);
+ ASN1_TYPE_free(atyp);
BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
goto end;
}
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
index 7ab9838..d90404d 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
ASN1_BMPSTRING *fname = NULL;
ASN1_OCTET_STRING *lkid = NULL;

- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+ if (attrib->type != V_ASN1_BMPSTRING)
+ return 0;
fname = attrib->value.bmpstring;
+ }

- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+ if (attrib->type != V_ASN1_OCTET_STRING)
+ return 0;
lkid = attrib->value.octet_string;
+ }

switch (PKCS12_SAFEBAG_get_nid(bag)) {
case NID_keyBag:
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
index f63fbc5..4e0eb1e 100644
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
ASN1_TYPE *astype;
if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
return NULL;
+ if (astype->type != V_ASN1_OCTET_STRING)
+ return NULL;
return astype->value.octet_string;
}

--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/edk2/edk2.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ ExclusiveArch: x86_64

Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 46%{?dist}
Release: 47%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: http://www.tianocore.org
Expand Down Expand Up @@ -138,6 +138,7 @@ Patch1008: CVE-2025-2295.patch
Patch1009: CVE-2025-68160.patch
Patch1010: CVE-2025-69418.patch
Patch1011: CVE-2026-22796.patch
Patch1012: CVE-2026-22795.patch

# python3-devel and libuuid-devel are required for building tools.
# python3-devel is also needed for varstore template generation and
Expand Down Expand Up @@ -721,6 +722,9 @@ $tests_ok


%changelog
* Fri Feb 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-47
- Patch for CVE-2026-22795

* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-46
- Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160

Expand Down
Loading