From 63e57181e63961ed3501a55756b2ee1e239c5733 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 13 Feb 2026 00:12:07 +0530 Subject: [PATCH 1/3] [AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763) Co-authored-by: BinduSri-6522866 Co-authored-by: jslobodzian (cherry picked from commit f9c0b4eeeaddd5bd8ce0d082a2b5204bfd58da5a) --- SPECS/edk2/CVE-2025-69419.patch | 49 +++++++++++++++++++++ SPECS/edk2/CVE-2025-69420.patch | 37 ++++++++++++++++ SPECS/edk2/CVE-2025-69421.patch | 36 +++++++++++++++ SPECS/edk2/CVE-2026-22795.patch | 77 +++++++++++++++++++++++++++++++++ SPECS/edk2/edk2.spec | 12 +++++ 5 files changed, 211 insertions(+) create mode 100644 SPECS/edk2/CVE-2025-69419.patch create mode 100644 SPECS/edk2/CVE-2025-69420.patch create mode 100644 SPECS/edk2/CVE-2025-69421.patch create mode 100644 SPECS/edk2/CVE-2026-22795.patch diff --git a/SPECS/edk2/CVE-2025-69419.patch b/SPECS/edk2/CVE-2025-69419.patch new file mode 100644 index 00000000000..da4a793dbb5 --- /dev/null +++ b/SPECS/edk2/CVE-2025-69419.patch @@ -0,0 +1,49 @@ +From 56d62202357855589885daaa4deb5b97c635a250 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 9 Feb 2026 09:14:39 +0000 +Subject: [PATCH] Check return code of UTF8_putc in a_strex.c and p12_utl.c; + handle failures gracefully (backport) + +Signed-off-by: rpm-build +Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296.patch +--- + CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c | 6 ++++-- + .../Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c | 5 +++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c +index 4879b33..b852e06 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c +@@ -203,8 +203,10 @@ static int do_buf(unsigned char *buf, int buflen, + orflags = CHARTYPE_LAST_ESC_2253; + if (type & BUF_TYPE_CONVUTF8) { + unsigned char utfbuf[6]; +- int utflen; +- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); ++ ++ if (utflen < 0) ++ return -1; /* error happened with UTF8 */ + for (i = 0; i < utflen; i++) { + /* + * We don't need to worry about setting orflags correctly +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c +index 43b9e3a..4998fcc 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c +@@ -207,6 +207,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen) + /* re-run the loop emitting UTF-8 string */ + for (asclen = 0, i = 0; i < unilen; ) { + j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i); ++ /* when UTF8_putc fails */ ++ if (j < 0) { ++ OPENSSL_free(asctmp); ++ return NULL; ++ } + if (j == 4) i += 4; + else i += 2; + asclen += j; +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2025-69420.patch b/SPECS/edk2/CVE-2025-69420.patch new file mode 100644 index 00000000000..72cfd86797c --- /dev/null +++ b/SPECS/edk2/CVE-2025-69420.patch @@ -0,0 +1,37 @@ +From 3268f491a18d4567460ebc7e284ce2da9778bf18 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 9 Feb 2026 09:13:29 +0000 +Subject: [PATCH] Verify ASN1 object's types before accessing sequence in + ess_get_signing_cert/v2 to avoid invalid type access. + +Signed-off-by: rpm-build +Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/ea8fc4c345fbd749048809c9f7c881ea656b0b94.patch +--- + .../Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +index c2e7abd..156958c 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c +@@ -262,7 +262,7 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) + ASN1_TYPE *attr; + const unsigned char *p; + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); +- if (!attr) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); +@@ -274,7 +274,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); +- if (attr == NULL) ++ if (attr == NULL || attr->type != V_ASN1_SEQUENCE) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2025-69421.patch b/SPECS/edk2/CVE-2025-69421.patch new file mode 100644 index 00000000000..8fe570b79a3 --- /dev/null +++ b/SPECS/edk2/CVE-2025-69421.patch @@ -0,0 +1,36 @@ +From 3a1e9f9341230d304e7ce341c651188bd6af93f8 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 9 Feb 2026 09:13:55 +0000 +Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL + +Fixes CVE-2025-69421 + +(cherry picked from commit 2c13bf15286328641a805eb3b7c97e27d42881fb) + +Backport: This tree lacks PKCS12_item_decrypt_d2i_ex and ERR_raise, so we add the NULL check in PKCS12_item_decrypt_d2i and report ERR_R_PASSED_NULL_PARAMETER via PKCS12err. +Signed-off-by: rpm-build +Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/2c13bf15286328641a805eb3b7c97e27d42881fb.patch +--- + .../Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +index 3c86058..bb9491c 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c +@@ -88,6 +88,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, + void *ret; + int outlen; + ++ ++ if (oct == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, ERR_R_PASSED_NULL_PARAMETER); ++ return NULL; ++ } ++ + if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length, + &out, &outlen, 0)) { + PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-22795.patch b/SPECS/edk2/CVE-2026-22795.patch new file mode 100644 index 00000000000..db35cf1b2bc --- /dev/null +++ b/SPECS/edk2/CVE-2026-22795.patch @@ -0,0 +1,77 @@ +From 1bef0f0a772f6b8229d1bcc85187a076394aa468 Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Wed, 7 Jan 2026 11:29:48 -0700 +Subject: [PATCH] Ensure ASN1 types are checked before use. + +Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8 +this fix includes the other fixes in that commit, as well as fixes for others found by a scan +for a similar unvalidated access paradigm in the tree. + +Reviewed-by: Kurt Roeckx +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/29582) + +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch +--- + CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c | 3 ++- + .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c | 10 ++++++++-- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c | 2 ++ + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +index 83b3fc9..99f7eb0 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c +@@ -2688,8 +2688,9 @@ int s_client_main(int argc, char **argv) + goto end; + } + atyp = ASN1_generate_nconf(genstr, cnf); +- if (atyp == NULL) { ++ if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) { + NCONF_free(cnf); ++ ASN1_TYPE_free(atyp); + BIO_printf(bio_err, "ASN1_generate_nconf failed\n"); + goto end; + } +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +index 7ab9838..d90404d 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c +@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, + ASN1_BMPSTRING *fname = NULL; + ASN1_OCTET_STRING *lkid = NULL; + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) { ++ if (attrib->type != V_ASN1_BMPSTRING) ++ return 0; + fname = attrib->value.bmpstring; ++ } + +- if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) ++ if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) { ++ if (attrib->type != V_ASN1_OCTET_STRING) ++ return 0; + lkid = attrib->value.octet_string; ++ } + + switch (PKCS12_SAFEBAG_get_nid(bag)) { + case NID_keyBag: +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +index f63fbc5..4e0eb1e 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c +@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) + ASN1_TYPE *astype; + if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) + return NULL; ++ if (astype->type != V_ASN1_OCTET_STRING) ++ return NULL; + return astype->value.octet_string; + } + +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index c915b225543..a539f76291f 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -135,9 +135,16 @@ Patch1005: vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using- Patch1006: CVE-2022-4304.patch Patch1007: CVE-2025-3770.patch Patch1008: CVE-2025-2295.patch +<<<<<<< HEAD Patch1009: CVE-2025-68160.patch Patch1010: CVE-2025-69418.patch Patch1011: CVE-2026-22796.patch +======= +Patch1009: CVE-2025-69419.patch +Patch1010: CVE-2025-69420.patch +Patch1011: CVE-2025-69421.patch +Patch1012: CVE-2026-22795.patch +>>>>>>> f9c0b4eee ([AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763)) # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -721,8 +728,13 @@ $tests_ok %changelog +<<<<<<< HEAD * Mon Feb 02 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 - Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160 +======= +* Mon Feb 09 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 +- Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 +>>>>>>> f9c0b4eee ([AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763)) * Tue Jan 06 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-45 - Patch for CVE-2025-2295 From c9196f2253301b7dcd7222912f0520e04d834e16 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 12 Feb 2026 10:47:10 -0800 Subject: [PATCH 2/3] Conflicts resolved by Auto-Cherry Pick for SPECS/edk2/edk2.spec --- SPECS/edk2/edk2.spec | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index a539f76291f..d6d3ae51599 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -45,7 +45,7 @@ ExclusiveArch: x86_64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 46%{?dist} +Release: 47%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org @@ -135,19 +135,13 @@ Patch1005: vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using- Patch1006: CVE-2022-4304.patch Patch1007: CVE-2025-3770.patch Patch1008: CVE-2025-2295.patch -<<<<<<< HEAD -Patch1009: CVE-2025-68160.patch -Patch1010: CVE-2025-69418.patch -Patch1011: CVE-2026-22796.patch -======= Patch1009: CVE-2025-69419.patch Patch1010: CVE-2025-69420.patch Patch1011: CVE-2025-69421.patch Patch1012: CVE-2026-22795.patch ->>>>>>> f9c0b4eee ([AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763)) - -# python3-devel and libuuid-devel are required for building tools. -# python3-devel is also needed for varstore template generation and +Patch1013: CVE-2025-68160.patch +Patch1014: CVE-2025-69418.patch +Patch1015: CVE-2026-22796.patch # verification with "ovmf-vars-generator". BuildRequires: python3-devel BuildRequires: libuuid-devel @@ -725,17 +719,11 @@ $tests_ok %{_bindir}/UPT %dir %{_datadir}/%{name} %{_datadir}/%{name}/Python - - %changelog -<<<<<<< HEAD -* Mon Feb 02 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 -- Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160 -======= * Mon Feb 09 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 - Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 ->>>>>>> f9c0b4eee ([AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763)) - +* Thu Feb 12 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-47 +- Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160 * Tue Jan 06 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-45 - Patch for CVE-2025-2295 From 6a408c0008fd83b793d2d3a8b12888d1fc150913 Mon Sep 17 00:00:00 2001 From: jslobodzian Date: Sun, 15 Feb 2026 12:44:28 -0700 Subject: [PATCH 3/3] Remove duplicate changelog entry for CVE patches --- SPECS/edk2/edk2.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index d6d3ae51599..436400b0991 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -720,10 +720,12 @@ $tests_ok %dir %{_datadir}/%{name} %{_datadir}/%{name}/Python %changelog -* Mon Feb 09 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 -- Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 * Thu Feb 12 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-47 - Patch for CVE-2026-22796, CVE-2025-69418, CVE-2025-68160 + +* Mon Feb 09 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-46 +- Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 + * Tue Jan 06 2026 Azure Linux Security Servicing Account - 20230301gitf80f052277c8-45 - Patch for CVE-2025-2295