From a09ebf65a085eb6aec42fa484bd5915521b757ac Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 16 Jun 2026 05:42:58 +0000 Subject: [PATCH] Patch edk2 for CVE-2026-9076, CVE-2026-45447, CVE-2026-45445, CVE-2026-42767, CVE-2026-34180 --- SPECS/edk2/CVE-2026-34180.patch | 98 +++++++++++++++++++++++++++++++++ SPECS/edk2/CVE-2026-42767.patch | 56 +++++++++++++++++++ SPECS/edk2/CVE-2026-45445.patch | 60 ++++++++++++++++++++ SPECS/edk2/CVE-2026-45447.patch | 60 ++++++++++++++++++++ SPECS/edk2/CVE-2026-9076.patch | 62 +++++++++++++++++++++ SPECS/edk2/edk2.spec | 10 +++- 6 files changed, 345 insertions(+), 1 deletion(-) create mode 100644 SPECS/edk2/CVE-2026-34180.patch create mode 100644 SPECS/edk2/CVE-2026-42767.patch create mode 100644 SPECS/edk2/CVE-2026-45445.patch create mode 100644 SPECS/edk2/CVE-2026-45447.patch create mode 100644 SPECS/edk2/CVE-2026-9076.patch diff --git a/SPECS/edk2/CVE-2026-34180.patch b/SPECS/edk2/CVE-2026-34180.patch new file mode 100644 index 00000000000..65df72a4fc3 --- /dev/null +++ b/SPECS/edk2/CVE-2026-34180.patch @@ -0,0 +1,98 @@ +From da6e2ea4962191178d6571b66f880942f31e8301 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Fri, 15 May 2026 04:19:32 +1000 +Subject: [PATCH] Avoid length truncation in ASN1_STRING_set + +The ASN1_STRING_set() function takes an `int` length, make sure the +argument is not inadvertently truncated when it is called from +asn1_ex_c2i(). + +Fixes CVE-2026-34180 + +Reviewed-by: Norbert Pocs +Reviewed-by: Tomas Mraz +MergeDate: Mon Jun 8 14:16:40 2026 +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83.patch +--- + .../OpensslLib/openssl/crypto/asn1/tasn_dec.c | 24 +++++++++++++------ + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c +index 1119808..50a1582 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c +@@ -59,7 +59,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, + const ASN1_ITEM *it, + int tag, int aclass, char opt, + ASN1_TLC *ctx); +-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, ++static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, + int utype, char *free_cont, const ASN1_ITEM *it); + + /* Table to convert tags to bit values, used for MSTRING type */ +@@ -828,19 +828,24 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, + + /* Translate ASN1 content octets into a structure */ + +-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, ++static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, + int utype, char *free_cont, const ASN1_ITEM *it) + { + ASN1_VALUE **opval = NULL; + ASN1_STRING *stmp; + ASN1_TYPE *typ = NULL; + int ret = 0; ++ int ilen = (int)len; + const ASN1_PRIMITIVE_FUNCS *pf; + ASN1_INTEGER **tint; + pf = it->funcs; + +- if (pf && pf->prim_c2i) +- return pf->prim_c2i(pval, cont, len, utype, free_cont, it); ++ if (pf && pf->prim_c2i) { ++ if (len == (long)ilen) ++ return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it); ++ ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); ++ return 0; ++ } + /* If ANY type clear type and set pointer to internal value */ + if (it->utype == V_ASN1_ANY) { + if (*pval == NULL) { +@@ -858,7 +863,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + } + switch (utype) { + case V_ASN1_OBJECT: +- if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) ++ if (len != (long)ilen ++ || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen)) + goto err; + break; + +@@ -913,6 +919,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + case V_ASN1_SET: + case V_ASN1_SEQUENCE: + default: ++ if (len != (long)ilen) { ++ ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG); ++ goto err; ++ } + if (utype == V_ASN1_BMPSTRING && (len & 1)) { + ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; +@@ -937,10 +947,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + if (*free_cont) { + OPENSSL_free(stmp->data); + stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ +- stmp->length = len; ++ stmp->length = ilen; + *free_cont = 0; + } else { +- if (!ASN1_STRING_set(stmp, cont, len)) { ++ if (!ASN1_STRING_set(stmp, cont, ilen)) { + ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(stmp); + *pval = NULL; +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-42767.patch b/SPECS/edk2/CVE-2026-42767.patch new file mode 100644 index 00000000000..58c47f591e3 --- /dev/null +++ b/SPECS/edk2/CVE-2026-42767.patch @@ -0,0 +1,56 @@ +From 5815825cc82f7f2fb94eecac3ff9db81908f61a8 Mon Sep 17 00:00:00 2001 +From: Igor Ustinov +Date: Mon, 11 May 2026 16:29:47 +0200 +Subject: [PATCH] Fix potential NULL dereference in + OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() + +Check that 'parameter' != NULL before dereferencing in +OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(). + +Fixes CVE-2026-42767 + +Co-authored-by: Tomas Mraz + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Milan Broz +MergeDate: Mon Jun 8 20:40:47 2026 +(cherry picked from commit 665d5254083affde9982efca7c41dd01cacc8774) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046.patch +--- + .../Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c +index 8b42e43..1b3c936 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c +@@ -617,6 +617,7 @@ X509 + EVP_CIPHER *cipher = NULL; /* used cipher */ + int cikeysize = 0; /* key size from cipher */ + unsigned char *iv = NULL; /* initial vector for symmetric encryption */ ++ int iv_len; /* iv length */ + unsigned char *outbuf = NULL; /* decryption output buffer */ + const unsigned char *p = NULL; /* needed for decoding ASN1 */ + int n, outlen = 0; +@@ -670,11 +671,13 @@ X509 + } else { + goto end; + } +- if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL) ++ ++ iv_len = EVP_CIPHER_get_iv_length(cipher); ++ if ((iv = OPENSSL_malloc(iv_len)) == NULL) + goto end; +- if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, +- EVP_CIPHER_get_iv_length(cipher)) +- != EVP_CIPHER_get_iv_length(cipher)) { ++ if (ecert->symmAlg->parameter == NULL ++ || ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, iv_len) ++ != iv_len) { + ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV); + goto end; + } +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-45445.patch b/SPECS/edk2/CVE-2026-45445.patch new file mode 100644 index 00000000000..7632e704637 --- /dev/null +++ b/SPECS/edk2/CVE-2026-45445.patch @@ -0,0 +1,60 @@ +From 8c2d640cbd1eb977b52a34720ac6269dc620ad79 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Mon, 18 May 2026 18:09:44 +1000 +Subject: [PATCH] Apply the buffered IV on the AES-OCB EVP_Cipher() path + +aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot, +processed input without flushing the buffered IV into the OCB +context. Effective nonce was 0 regardless of the caller's IV; +EVP_*Final_ex() then emitted a tag depending only on (key, iv). +This gave (key, nonce) reuse and single-query universal forgery on +the EVP_Cipher() path. + +Apply update_iv() at the head of aes_ocb_cipher() to mirror the +streaming handler. The matching GCM one-shot does this already. + +Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and +ChaCha20-Poly1305 in CryptoPkg/Library/OpensslLib/openssl/test/evp_extra_test.c. Each cipher is +exercised with and without AAD; the no-AAD case is needed because +any prior EVP_CipherUpdate(NULL, aad, ...) routes through the +streaming handler and applies the IV itself, masking the bug. + +Fixes CVE-2026-45445 + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Tomas Mraz +MergeDate: Mon Jun 8 20:02:00 2026 +(cherry picked from commit 50c95c5d1e83f4f46a555dfa7fd9c632d3eba9dc) +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451.patch +--- + .../implementations/ciphers/cipher_aes_ocb.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +index ce377ad..78ff071 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c +@@ -507,6 +507,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl, + return 0; + } + ++ /* ++ * Mirror the streaming handler: refuse if the key has not been set, ++ * and push the buffered IV into the OCB context before any data is ++ * processed. Without this, CRYPTO_ocb128_encrypt/decrypt runs with ++ * Offset_0 = 0 regardless of the caller's IV -- catastrophic ++ * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag ++ * that is a function of (key, iv) only. ++ */ ++ if (!ctx->key_set || !update_iv(ctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); ++ return 0; ++ } ++ + if (!aes_generic_ocb_cipher(ctx, in, out, inl)) { + ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); + return 0; +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-45447.patch b/SPECS/edk2/CVE-2026-45447.patch new file mode 100644 index 00000000000..103224ad992 --- /dev/null +++ b/SPECS/edk2/CVE-2026-45447.patch @@ -0,0 +1,60 @@ +From 59e0a8e93af534f341b22150ad380423428a8445 Mon Sep 17 00:00:00 2001 +From: Igor Ustinov +Date: Sat, 16 May 2026 08:16:23 +0200 +Subject: [PATCH 1/2] Fix possible use-after-free in OpenSSL PKCS7_verify() + +Fixes CVE-2026-45447 + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Norbert Pocs +MergeDate: Mon Jun 8 20:32:32 2026 +--- + .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c +index 4593da8..f197e99 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c +@@ -222,6 +222,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + int i, j = 0, k, ret = 0; + BIO *p7bio = NULL; + BIO *tmpin = NULL, *tmpout = NULL; ++ BIO *next = NULL; + const PKCS7_CTX *p7_ctx; + + if (p7 == NULL) { +@@ -370,11 +371,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, + err: + X509_STORE_CTX_free(cert_ctx); + OPENSSL_free(buf); +- if (tmpin == indata) { +- if (indata) +- BIO_pop(p7bio); ++ while (p7bio != NULL && p7bio != indata) { ++ next = BIO_pop(p7bio); ++ BIO_free(p7bio); ++ p7bio = next; + } +- BIO_free_all(p7bio); + sk_X509_free(signers); + return ret; + } +-- +2.45.4 + + +From 0bdb8f6ae5aa042d4c586bd994044add20b90fed Mon Sep 17 00:00:00 2001 +From: Igor Ustinov +Date: Sat, 16 May 2026 08:22:53 +0200 +Subject: [PATCH 2/2] Test for CVE-2026-45447 (UAF in PKCS7_verify) + +The test data were created with a tool developed by +Thai Duong . + +Reviewed-by: Eugene Syromiatnikov +Reviewed-by: Norbert Pocs +MergeDate: Mon Jun 8 20:32:33 2026 +-- +2.45.4 + diff --git a/SPECS/edk2/CVE-2026-9076.patch b/SPECS/edk2/CVE-2026-9076.patch new file mode 100644 index 00000000000..2886e6b4d39 --- /dev/null +++ b/SPECS/edk2/CVE-2026-9076.patch @@ -0,0 +1,62 @@ +From de82f13d449cda46431cd8fc562647e2b266b540 Mon Sep 17 00:00:00 2001 +From: Nikola Pajkovsky +Date: Thu, 21 May 2026 11:53:09 +0200 +Subject: [PATCH] cms: kek_unwrap_key: Fix out-of-bounds read in check-byte + validation + +the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6] +unconditionally, so the decrypted buffer must hold at least seven +octets. The pre-decryption size check enforces inlen >= 2 * blocklen, +which yields the required seven octets only when blocklen >= 4. For +a KEK cipher with a smaller block size, inlen can be as small as +2 * blocklen and the check-byte read overruns the inlen-sized tmp +allocation. + +Reject blocklen < 4 in the early sanity check. All block ciphers +appropriate for CMS PasswordRecipientInfo key wrapping have a block +size of at least 8 octets (DES/3DES = 8, AES = 16), so this only +forbids ciphers that would not be valid KEK choices anyway, and the +existing inlen >= 2 * blocklen check then guarantees the seven-octet +lower bound the check-byte test relies on. + +Fixes CVE-2026-9076 +Signed-off-by: Nikola Pajkovsky + +Reviewed-by: Daniel Kubec +Reviewed-by: Tomas Mraz +MergeDate: Mon Jun 8 14:11:44 2026 +Signed-off-by: rpm-build +Upstream-reference: https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6.patch +--- + .../Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +index 6b507c3..2b8e5ae 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c +@@ -190,14 +190,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, + const unsigned char *in, size_t inlen, + EVP_CIPHER_CTX *ctx) + { +- size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx); ++ int blocklen = EVP_CIPHER_CTX_get_block_size(ctx); + unsigned char *tmp; + int outl, rv = 0; +- if (inlen < 2 * blocklen) { ++ ++ if (blocklen < 4) ++ return 0; ++ ++ if (inlen < 2 * (size_t)blocklen) { + /* too small */ + return 0; + } +- if (inlen % blocklen) { ++ if (inlen > INT_MAX || inlen % blocklen) { + /* Invalid size */ + return 0; + } +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index 3f2dfe618ca..2403ac9058f 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -56,7 +56,7 @@ Distribution: Azure Linux Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 17%{?dist} +Release: 18%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -152,6 +152,11 @@ Patch1014: CVE-2026-22796.patch Patch1015: CVE-2025-69419.patch Patch1016: CVE-2026-28389.patch Patch1017: CVE-2026-28390.patch +Patch1018: CVE-2026-34180.patch +Patch1019: CVE-2026-42767.patch +Patch1020: CVE-2026-45445.patch +Patch1021: CVE-2026-45447.patch +Patch1022: CVE-2026-9076.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -799,6 +804,9 @@ done %endif %changelog +* Tue Jun 16 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-18 +- Patch for CVE-2026-9076, CVE-2026-45447, CVE-2026-45445, CVE-2026-42767, CVE-2026-34180 + * Wed May 06 2026 Sumedh Sharma - 20240524git3e722403cd16-17 - Enable build_aarch64 to build arm64 firmware bins - Disable OVMF compilation on aarch64 hosts due to missing cross gcc-x86_64-linux-gnu