azurelinux-security · azurelinux-security · Jun 16, 2026
diff --git a/SPECS/edk2/CVE-2026-34180.patch b/SPECS/edk2/CVE-2026-34180.patch
@@ -0,0 +1,98 @@
+From da6e2ea4962191178d6571b66f880942f31e8301 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Fri, 15 May 2026 04:19:32 +1000
+Subject: [PATCH] Avoid length truncation in ASN1_STRING_set
+
+The ASN1_STRING_set() function takes an `int` length, make sure the
+argument is not inadvertently truncated when it is called from
+asn1_ex_c2i().
+
+Fixes CVE-2026-34180
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
+MergeDate: Mon Jun  8 14:16:40 2026
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83.patch
+---
+ .../OpensslLib/openssl/crypto/asn1/tasn_dec.c | 24 +++++++++++++------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
+index 1119808..50a1582 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
+@@ -59,7 +59,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
+                                  const ASN1_ITEM *it,
+                                  int tag, int aclass, char opt,
+                                  ASN1_TLC *ctx);
+-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
++static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
+                        int utype, char *free_cont, const ASN1_ITEM *it);
+
+ /* Table to convert tags to bit values, used for MSTRING type */
+@@ -828,19 +828,24 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
+
+ /* Translate ASN1 content octets into a structure */
+
+-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
++static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
+                        int utype, char *free_cont, const ASN1_ITEM *it)
+ {
+     ASN1_VALUE **opval = NULL;
+     ASN1_STRING *stmp;
+     ASN1_TYPE *typ = NULL;
+     int ret = 0;
++    int ilen = (int)len;
+     const ASN1_PRIMITIVE_FUNCS *pf;
+     ASN1_INTEGER **tint;
+     pf = it->funcs;
+
+-    if (pf && pf->prim_c2i)
+-        return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
++    if (pf && pf->prim_c2i) {
++        if (len == (long)ilen)
++            return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it);
++        ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
++        return 0;
++    }
+     /* If ANY type clear type and set pointer to internal value */
+     if (it->utype == V_ASN1_ANY) {
+         if (*pval == NULL) {
+@@ -858,7 +863,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+     }
+     switch (utype) {
+     case V_ASN1_OBJECT:
+-        if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
++        if (len != (long)ilen
++            || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen))
+             goto err;
+         break;
+
+@@ -913,6 +919,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+     case V_ASN1_SET:
+     case V_ASN1_SEQUENCE:
+     default:
++        if (len != (long)ilen) {
++            ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
++            goto err;
++        }
+         if (utype == V_ASN1_BMPSTRING && (len & 1)) {
+             ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+             goto err;
+@@ -937,10 +947,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
+         if (*free_cont) {
+             OPENSSL_free(stmp->data);
+             stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
+-            stmp->length = len;
++            stmp->length = ilen;
+             *free_cont = 0;
+         } else {
+-            if (!ASN1_STRING_set(stmp, cont, len)) {
++            if (!ASN1_STRING_set(stmp, cont, ilen)) {
+                 ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
+                 ASN1_STRING_free(stmp);
+                 *pval = NULL;
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/CVE-2026-42767.patch b/SPECS/edk2/CVE-2026-42767.patch
@@ -0,0 +1,56 @@
+From 5815825cc82f7f2fb94eecac3ff9db81908f61a8 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus@openssl.foundation>
+Date: Mon, 11 May 2026 16:29:47 +0200
+Subject: [PATCH] Fix potential NULL dereference in
+ OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()
+
+Check that 'parameter' != NULL before dereferencing in
+OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert().
+
+Fixes CVE-2026-42767
+
+Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
+
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Milan Broz <mbroz@openssl.org>
+MergeDate: Mon Jun  8 20:40:47 2026
+(cherry picked from commit 665d5254083affde9982efca7c41dd01cacc8774)
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046.patch
+---
+ .../Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
+index 8b42e43..1b3c936 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
+@@ -617,6 +617,7 @@ X509
+     EVP_CIPHER *cipher = NULL; /* used cipher */
+     int cikeysize = 0; /* key size from cipher */
+     unsigned char *iv = NULL; /* initial vector for symmetric encryption */
++    int iv_len; /* iv length */
+     unsigned char *outbuf = NULL; /* decryption output buffer */
+     const unsigned char *p = NULL; /* needed for decoding ASN1 */
+     int n, outlen = 0;
+@@ -670,11 +671,13 @@ X509
+     } else {
+         goto end;
+     }
+-    if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
++
++    iv_len = EVP_CIPHER_get_iv_length(cipher);
++    if ((iv = OPENSSL_malloc(iv_len)) == NULL)
+         goto end;
+-    if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
+-                                  EVP_CIPHER_get_iv_length(cipher))
+-        != EVP_CIPHER_get_iv_length(cipher)) {
++    if (ecert->symmAlg->parameter == NULL
++        || ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, iv_len)
++            != iv_len) {
+         ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
+         goto end;
+     }
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/CVE-2026-45445.patch b/SPECS/edk2/CVE-2026-45445.patch
@@ -0,0 +1,60 @@
+From 8c2d640cbd1eb977b52a34720ac6269dc620ad79 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Mon, 18 May 2026 18:09:44 +1000
+Subject: [PATCH] Apply the buffered IV on the AES-OCB EVP_Cipher() path
+
+aes_ocb_cipher(), the OCB provider's OSSL_FUNC_CIPHER_CIPHER slot,
+processed input without flushing the buffered IV into the OCB
+context.  Effective nonce was 0 regardless of the caller's IV;
+EVP_*Final_ex() then emitted a tag depending only on (key, iv).
+This gave (key, nonce) reuse and single-query universal forgery on
+the EVP_Cipher() path.
+
+Apply update_iv() at the head of aes_ocb_cipher() to mirror the
+streaming handler.  The matching GCM one-shot does this already.
+
+Add a cross-driver round-trip test for AES-{GCM,CCM,OCB} and
+ChaCha20-Poly1305 in CryptoPkg/Library/OpensslLib/openssl/test/evp_extra_test.c.  Each cipher is
+exercised with and without AAD; the no-AAD case is needed because
+any prior EVP_CipherUpdate(NULL, aad, ...) routes through the
+streaming handler and applies the IV itself, masking the bug.
+
+Fixes CVE-2026-45445
+
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
+MergeDate: Mon Jun  8 20:02:00 2026
+(cherry picked from commit 50c95c5d1e83f4f46a555dfa7fd9c632d3eba9dc)
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451.patch
+---
+ .../implementations/ciphers/cipher_aes_ocb.c        | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c
+index ce377ad..78ff071 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/providers/implementations/ciphers/cipher_aes_ocb.c
+@@ -507,6 +507,19 @@ static int aes_ocb_cipher(void *vctx, unsigned char *out, size_t *outl,
+         return 0;
+     }
+
++    /*
++     * Mirror the streaming handler: refuse if the key has not been set,
++     * and push the buffered IV into the OCB context before any data is
++     * processed.  Without this, CRYPTO_ocb128_encrypt/decrypt runs with
++     * Offset_0 = 0 regardless of the caller's IV -- catastrophic
++     * (key, nonce) reuse, and a subsequent EVP_*Final_ex() emits a tag
++     * that is a function of (key, iv) only.
++     */
++    if (!ctx->key_set || !update_iv(ctx)) {
++        ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
++        return 0;
++    }
++
+     if (!aes_generic_ocb_cipher(ctx, in, out, inl)) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED);
+         return 0;
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/CVE-2026-45447.patch b/SPECS/edk2/CVE-2026-45447.patch
@@ -0,0 +1,60 @@
+From 59e0a8e93af534f341b22150ad380423428a8445 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus@openssl.foundation>
+Date: Sat, 16 May 2026 08:16:23 +0200
+Subject: [PATCH 1/2] Fix possible use-after-free in OpenSSL PKCS7_verify()
+
+Fixes CVE-2026-45447
+
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+MergeDate: Mon Jun  8 20:32:32 2026
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c  | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c
+index 4593da8..f197e99 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_smime.c
+@@ -222,6 +222,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+     int i, j = 0, k, ret = 0;
+     BIO *p7bio = NULL;
+     BIO *tmpin = NULL, *tmpout = NULL;
++    BIO *next = NULL;
+     const PKCS7_CTX *p7_ctx;
+
+     if (p7 == NULL) {
+@@ -370,11 +371,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+  err:
+     X509_STORE_CTX_free(cert_ctx);
+     OPENSSL_free(buf);
+-    if (tmpin == indata) {
+-        if (indata)
+-            BIO_pop(p7bio);
++    while (p7bio != NULL && p7bio != indata) {
++        next = BIO_pop(p7bio);
++        BIO_free(p7bio);
++        p7bio = next;
+     }
+-    BIO_free_all(p7bio);
+     sk_X509_free(signers);
+     return ret;
+ }
+-- 
+2.45.4
+
+
+From 0bdb8f6ae5aa042d4c586bd994044add20b90fed Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus@openssl.foundation>
+Date: Sat, 16 May 2026 08:22:53 +0200
+Subject: [PATCH 2/2] Test for CVE-2026-45447 (UAF in PKCS7_verify)
+
+The test data were created with a tool developed by
+Thai Duong <thai@calif.io>.
+
+Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+MergeDate: Mon Jun  8 20:32:33 2026
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/CVE-2026-9076.patch b/SPECS/edk2/CVE-2026-9076.patch
@@ -0,0 +1,62 @@
+From de82f13d449cda46431cd8fc562647e2b266b540 Mon Sep 17 00:00:00 2001
+From: Nikola Pajkovsky <nikolap@openssl.org>
+Date: Thu, 21 May 2026 11:53:09 +0200
+Subject: [PATCH] cms: kek_unwrap_key: Fix out-of-bounds read in check-byte
+ validation
+
+the check-byte test in kek_unwrap_key() reads tmp[1] through tmp[6]
+unconditionally, so the decrypted buffer must hold at least seven
+octets. The pre-decryption size check enforces inlen >= 2 * blocklen,
+which yields the required seven octets only when blocklen >= 4. For
+a KEK cipher with a smaller block size, inlen can be as small as
+2 * blocklen and the check-byte read overruns the inlen-sized tmp
+allocation.
+
+Reject blocklen < 4 in the early sanity check. All block ciphers
+appropriate for CMS PasswordRecipientInfo key wrapping have a block
+size of at least 8 octets (DES/3DES = 8, AES = 16), so this only
+forbids ciphers that would not be valid KEK choices anyway, and the
+existing inlen >= 2 * blocklen check then guarantees the seven-octet
+lower bound the check-byte test relies on.
+
+Fixes CVE-2026-9076
+Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
+
+Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
+Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
+MergeDate: Mon Jun  8 14:11:44 2026
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/eecbe330977e8d023aae1ca2d9bdbe983ef3fdc6.patch
+---
+ .../Library/OpensslLib/openssl/crypto/cms/cms_pwri.c   | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+index 6b507c3..2b8e5ae 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
+@@ -190,14 +190,18 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+                           const unsigned char *in, size_t inlen,
+                           EVP_CIPHER_CTX *ctx)
+ {
+-    size_t blocklen = EVP_CIPHER_CTX_get_block_size(ctx);
++    int blocklen = EVP_CIPHER_CTX_get_block_size(ctx);
+     unsigned char *tmp;
+     int outl, rv = 0;
+-    if (inlen < 2 * blocklen) {
++
++    if (blocklen < 4)
++        return 0;
++
++    if (inlen < 2 * (size_t)blocklen) {
+         /* too small */
+         return 0;
+     }
+-    if (inlen % blocklen) {
++    if (inlen > INT_MAX || inlen % blocklen) {
+         /* Invalid size */
+         return 0;
+     }
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
@@ -56,7 +56,7 @@ Distribution:   Azure Linux
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    17%{?dist}
+Release:    18%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -152,6 +152,11 @@ Patch1014: CVE-2026-22796.patch
 Patch1015: CVE-2025-69419.patch
 Patch1016: CVE-2026-28389.patch
 Patch1017: CVE-2026-28390.patch
+Patch1018: CVE-2026-34180.patch
+Patch1019: CVE-2026-42767.patch
+Patch1020: CVE-2026-45445.patch
+Patch1021: CVE-2026-45447.patch
+Patch1022: CVE-2026-9076.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -799,6 +804,9 @@ done
 %endif
 
 %changelog
+* Tue Jun 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-18
+- Patch for CVE-2026-9076, CVE-2026-45447, CVE-2026-45445, CVE-2026-42767, CVE-2026-34180
+
 * Wed May 06 2026 Sumedh Sharma <sumsharma@microsoft.com> - 20240524git3e722403cd16-17
 - Enable build_aarch64 to build arm64 firmware bins
 - Disable OVMF compilation on aarch64 hosts due to missing cross gcc-x86_64-linux-gnu