Skip to content

Commit edf2bdb

Browse files
azurelinux-securityv-aaditya
azurelinux-security
and
v-aaditya
authored
Co-authored-by: Aditya Singh <v-aditysing@microsoft.com>
1 parent 499f4f6 commit edf2bdb

10 files changed

Lines changed: 841 additions & 2 deletions

SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
Summary: Signed HvLoader.efi for %{buildarch} systems
1212
Name: edk2-hvloader-signed-%{buildarch}
1313
Version: %{GITDATE}git%{GITCOMMIT}
14-
Release: 17%{?dist}
14+
Release: 18%{?dist}
1515
License: MIT
1616
Vendor: Microsoft Corporation
1717
Distribution: Azure Linux
@@ -74,6 +74,9 @@ popd
7474
/boot/efi/HvLoader.efi
7575

7676
%changelog
77+
* Tue Jun 16 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-18
78+
- Bump release for consistency with edk2 spec.
79+
7780
* Wed May 06 2026 Sumedh Sharma <sumsharma@microsoft.com> - 20240524git3e722403cd16-17
7881
- Bump release for consistency with edk2 spec.
7982

SPECS/edk2/CVE-2026-34180.patch

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
From 46f78c42e00a4e67419d7860c6075105e45c4ce4 Mon Sep 17 00:00:00 2001
2+
From: Viktor Dukhovni <viktor@openssl.org>
3+
Date: Fri, 15 May 2026 04:19:32 +1000
4+
Subject: [PATCH] Avoid length truncation in ASN1_STRING_set
5+
6+
The ASN1_STRING_set() function takes an `int` length, make sure the
7+
argument is not inadvertently truncated when it is called from
8+
asn1_ex_c2i().
9+
10+
Fixes CVE-2026-34180
11+
12+
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
13+
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
14+
MergeDate: Mon Jun 8 14:16:40 2026
15+
Signed-off-by: rpm-build <rpm-build>
16+
Upstream-reference: https://github.com/openssl/openssl/commit/cbe418ae978539cf14a398a207dba834c0e93e83.patch
17+
---
18+
.../OpensslLib/openssl/crypto/asn1/tasn_dec.c | 24 +++++++++++++------
19+
1 file changed, 17 insertions(+), 7 deletions(-)
20+
21+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
22+
index 1119808..50a1582 100644
23+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
24+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/tasn_dec.c
25+
@@ -59,7 +59,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
26+
const ASN1_ITEM *it,
27+
int tag, int aclass, char opt,
28+
ASN1_TLC *ctx);
29+
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
30+
+static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
31+
int utype, char *free_cont, const ASN1_ITEM *it);
32+
33+
/* Table to convert tags to bit values, used for MSTRING type */
34+
@@ -828,19 +828,24 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
35+
36+
/* Translate ASN1 content octets into a structure */
37+
38+
-static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
39+
+static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,
40+
int utype, char *free_cont, const ASN1_ITEM *it)
41+
{
42+
ASN1_VALUE **opval = NULL;
43+
ASN1_STRING *stmp;
44+
ASN1_TYPE *typ = NULL;
45+
int ret = 0;
46+
+ int ilen = (int)len;
47+
const ASN1_PRIMITIVE_FUNCS *pf;
48+
ASN1_INTEGER **tint;
49+
pf = it->funcs;
50+
51+
- if (pf && pf->prim_c2i)
52+
- return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
53+
+ if (pf && pf->prim_c2i) {
54+
+ if (len == (long)ilen)
55+
+ return pf->prim_c2i(pval, cont, ilen, utype, free_cont, it);
56+
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
57+
+ return 0;
58+
+ }
59+
/* If ANY type clear type and set pointer to internal value */
60+
if (it->utype == V_ASN1_ANY) {
61+
if (*pval == NULL) {
62+
@@ -858,7 +863,8 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
63+
}
64+
switch (utype) {
65+
case V_ASN1_OBJECT:
66+
- if (!ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len))
67+
+ if (len != (long)ilen
68+
+ || !ossl_c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, ilen))
69+
goto err;
70+
break;
71+
72+
@@ -913,6 +919,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
73+
case V_ASN1_SET:
74+
case V_ASN1_SEQUENCE:
75+
default:
76+
+ if (len != (long)ilen) {
77+
+ ERR_raise(ERR_LIB_ASN1, ASN1_R_TOO_LONG);
78+
+ goto err;
79+
+ }
80+
if (utype == V_ASN1_BMPSTRING && (len & 1)) {
81+
ERR_raise(ERR_LIB_ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
82+
goto err;
83+
@@ -937,10 +947,10 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
84+
if (*free_cont) {
85+
OPENSSL_free(stmp->data);
86+
stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */
87+
- stmp->length = len;
88+
+ stmp->length = ilen;
89+
*free_cont = 0;
90+
} else {
91+
- if (!ASN1_STRING_set(stmp, cont, len)) {
92+
+ if (!ASN1_STRING_set(stmp, cont, ilen)) {
93+
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
94+
ASN1_STRING_free(stmp);
95+
*pval = NULL;
96+
--
97+
2.45.4
98+

SPECS/edk2/CVE-2026-34182.patch

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
From ac3f4b082dcc61ba69eef605c7b4a22c7a0df711 Mon Sep 17 00:00:00 2001
2+
From: AllSpark <allspark@microsoft.com>
3+
Date: Mon, 15 Jun 2026 06:57:10 +0000
4+
Subject: [PATCH] Reject potentially forged encrypted CMS AuthEnvelopedData
5+
messages
6+
7+
Signed-off-by: rpm-build <rpm-build>
8+
Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7.patch
9+
Signed-off-by: rpm-build <rpm-build>
10+
Upstream-reference: https://raw.githubusercontent.com/azurelinux-security/azurelinux/b7c81988963e1e843a851e5e96be250d910e233a/SPECS/edk2/CVE-2026-34182.patch
11+
---
12+
.../OpensslLib/openssl/crypto/cms/cms_enc.c | 18 +++++++++++++-----
13+
.../OpensslLib/openssl/crypto/cms/cms_env.c | 7 ++++---
14+
.../OpensslLib/openssl/crypto/cms/cms_local.h | 2 +-
15+
3 files changed, 18 insertions(+), 9 deletions(-)
16+
17+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
18+
index a3909ba..64f7389 100644
19+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
20+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c
21+
@@ -22,7 +22,8 @@
22+
/* Return BIO based on EncryptedContentInfo and key */
23+
24+
BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
25+
- const CMS_CTX *cms_ctx)
26+
+ const CMS_CTX *cms_ctx,
27+
+ int auth)
28+
{
29+
BIO *b;
30+
EVP_CIPHER_CTX *ctx;
31+
@@ -99,13 +100,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
32+
goto err;
33+
}
34+
if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
35+
+ if (!auth) {
36+
+ ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA);
37+
+ goto err;
38+
+ }
39+
piv = aparams.iv;
40+
- if (ec->taglen > 0
41+
- && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG,
42+
- ec->taglen, ec->tag) <= 0) {
43+
+
44+
+ if (ec->taglen < 4 || ec->taglen > 16
45+
+ || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) {
46+
ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR);
47+
goto err;
48+
}
49+
+ } else if (auth) {
50+
+ ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM);
51+
+ goto err;
52+
}
53+
}
54+
len = EVP_CIPHER_CTX_get_key_length(ctx);
55+
@@ -250,5 +258,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms)
56+
if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs)
57+
enc->version = 2;
58+
return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo,
59+
- ossl_cms_get0_cmsctx(cms));
60+
+ ossl_cms_get0_cmsctx(cms), 0);
61+
}
62+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
63+
index 156a3f7..cb11d8c 100644
64+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
65+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c
66+
@@ -1111,7 +1111,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
67+
{
68+
CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
69+
BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec,
70+
- ossl_cms_get0_cmsctx(cms));
71+
+ ossl_cms_get0_cmsctx(cms),
72+
+ 0);
73+
EVP_CIPHER_CTX *ctx = NULL;
74+
75+
if (contentBio == NULL)
76+
@@ -1147,7 +1148,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms)
77+
/* Get BIO first to set up key */
78+
79+
ec = env->encryptedContentInfo;
80+
- ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms));
81+
+ ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0);
82+
83+
/* If error end of processing */
84+
if (!ret)
85+
@@ -1199,7 +1200,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms)
86+
ec->tag = aenv->mac->data;
87+
ec->taglen = aenv->mac->length;
88+
}
89+
- ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms));
90+
+ ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1);
91+
92+
/* If error or no cipher end of processing */
93+
if (ret == NULL || ec->cipher == NULL)
94+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
95+
index 15b4a29..6f6f954 100644
96+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
97+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h
98+
@@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
99+
int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
100+
101+
BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
102+
- const CMS_CTX *ctx);
103+
+ const CMS_CTX *ctx, int auth);
104+
BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms);
105+
int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
106+
const EVP_CIPHER *cipher,
107+
--
108+
2.45.4
109+

SPECS/edk2/CVE-2026-42766.patch

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
From bb366c25ba012c926fc495142d8a8bfc5c857e1b Mon Sep 17 00:00:00 2001
2+
From: AllSpark <allspark@microsoft.com>
3+
Date: Tue, 16 Jun 2026 09:17:32 +0000
4+
Subject: [PATCH] Fix PWRI missing keyDerivationAlgorithm handling and add
5+
regression test
6+
7+
Signed-off-by: rpm-build <rpm-build>
8+
Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/3ff64913615d648cfbb6a6f1cf5529ae7ea829d7.patch https://github.com/openssl/openssl/commit/ba699b606969d20a108dda3cfe5422d4cc94eefb.patch
9+
---
10+
CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c | 5 +++++
11+
1 file changed, 5 insertions(+)
12+
13+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
14+
index 6b507c3..beaa935 100644
15+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
16+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_pwri.c
17+
@@ -351,6 +351,11 @@ int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
18+
19+
/* Finish password based key derivation to setup key in "ctx" */
20+
21+
+ if (algtmp == NULL) {
22+
+ ERR_raise_data(ERR_LIB_CMS, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER,
23+
+ "Missing KeyDerivationAlgorithm");
24+
+ goto err;
25+
+ }
26+
if (EVP_PBE_CipherInit(algtmp->algorithm,
27+
(char *)pwri->pass, pwri->passlen,
28+
algtmp->parameter, kekctx, en_de) < 0) {
29+
--
30+
2.45.4
31+

SPECS/edk2/CVE-2026-42767.patch

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
From db2aab1fbff95d1d8251cfc27e6a4c6201690ecc Mon Sep 17 00:00:00 2001
2+
From: Igor Ustinov <igus@openssl.foundation>
3+
Date: Mon, 11 May 2026 16:29:47 +0200
4+
Subject: [PATCH] Fix potential NULL dereference in
5+
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()
6+
7+
Check that 'parameter' != NULL before dereferencing in
8+
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert().
9+
10+
Fixes CVE-2026-42767
11+
12+
Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
13+
14+
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
15+
Reviewed-by: Milan Broz <mbroz@openssl.org>
16+
MergeDate: Mon Jun 8 20:40:47 2026
17+
(cherry picked from commit 665d5254083affde9982efca7c41dd01cacc8774)
18+
Signed-off-by: rpm-build <rpm-build>
19+
Upstream-reference: https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046.patch
20+
---
21+
.../Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c | 11 +++++++----
22+
1 file changed, 7 insertions(+), 4 deletions(-)
23+
24+
diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
25+
index 8b42e43..1b3c936 100644
26+
--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
27+
+++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/crmf/crmf_lib.c
28+
@@ -617,6 +617,7 @@ X509
29+
EVP_CIPHER *cipher = NULL; /* used cipher */
30+
int cikeysize = 0; /* key size from cipher */
31+
unsigned char *iv = NULL; /* initial vector for symmetric encryption */
32+
+ int iv_len; /* iv length */
33+
unsigned char *outbuf = NULL; /* decryption output buffer */
34+
const unsigned char *p = NULL; /* needed for decoding ASN1 */
35+
int n, outlen = 0;
36+
@@ -670,11 +671,13 @@ X509
37+
} else {
38+
goto end;
39+
}
40+
- if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
41+
+
42+
+ iv_len = EVP_CIPHER_get_iv_length(cipher);
43+
+ if ((iv = OPENSSL_malloc(iv_len)) == NULL)
44+
goto end;
45+
- if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
46+
- EVP_CIPHER_get_iv_length(cipher))
47+
- != EVP_CIPHER_get_iv_length(cipher)) {
48+
+ if (ecert->symmAlg->parameter == NULL
49+
+ || ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, iv_len)
50+
+ != iv_len) {
51+
ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
52+
goto end;
53+
}
54+
--
55+
2.45.4
56+

0 commit comments

Comments
 (0)