glib-networking: backport fixes for CVE-2025-60018 and CVE-2025-60019

CVE-2025-60018:

  glib-networking's OpenSSL backend fails to properly check the return
  value of a call to BIO_write(), resulting in an out of bounds read.

CVE-2205-60019:

  glib-networking's OpenSSL backend fails to properly check the return
  value of memory allocation routines. An out of memory condition could
  potentially result in writing to an invalid memory location.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

diff --git a/meta/recipes-core/glib-networking/glib-networking/0001-openssl-properly-check-return-value-when-writing-to-.patch b/meta/recipes-core/glib-networking/glib-networking/0001-openssl-properly-check-return-value-when-writing-to-.patch
new file mode 100644 (file)
index 0000000..72f0c0c
--- /dev/null
+++ b/meta/recipes-core/glib-networking/glib-networking/0001-openssl-properly-check-return-value-when-writing-to-.patch
@@ -0,0 +1,82 @@
+From 330f59dcb39386b3d640ce94fcd3f75e1668ad88 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Mon, 4 Aug 2025 15:10:21 -0500
+Subject: [PATCH 1/3] openssl: properly check return value when writing to BIO
+ objects
+
+In particular, we will read out of bounds, and then write the invalid
+memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM
+property. Here we attempt to check the return value, but the check is
+not correct.
+
+This also fixes a leak of the BIO in the same place.
+
+Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for
+good measure.
+
+Fixes #226
+
+CVE: CVE-2025-60018
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 648f3e8..b536559 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_CERTIFICATE_PEM:
+       bio = BIO_new (BIO_s_mem ());
+ 
+-      if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
+-        certificate_pem = NULL;
+-      else
++      if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+         {
+           BIO_get_mem_data (bio, &certificate_pem);
+           g_value_set_string (value, certificate_pem);
+-
+-          BIO_free_all (bio);
+         }
++      BIO_free_all (bio);
+       break;
+ 
+     case PROP_PRIVATE_KEY:
+@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_SUBJECT_NAME:
+       bio = BIO_new (BIO_s_mem ());
+       name = X509_get_subject_name (openssl->cert);
+-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+-      BIO_write (bio, "\0", 1);
++      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++          BIO_write (bio, "\0", 1) != 1)
++        {
++          BIO_free_all (bio);
++          break;
++        }
+       BIO_get_mem_data (bio, (char **)&name_string);
+       g_value_set_string (value, name_string);
+       BIO_free_all (bio);
+@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_ISSUER_NAME:
+       bio = BIO_new (BIO_s_mem ());
+       name = X509_get_issuer_name (openssl->cert);
+-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+-      BIO_write (bio, "\0", 1);
+-      BIO_get_mem_data (bio, &name_string);
++      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
++          BIO_write (bio, "\0", 1) != 1)
++        {
++          BIO_free_all (bio);
++          break;
++        }
++      BIO_get_mem_data (bio, (char **)&name_string);
+       g_value_set_string (value, name_string);
+       BIO_free_all (bio);
+       break;
+-- 
+2.43.0
+

diff --git a/meta/recipes-core/glib-networking/glib-networking/0002-openssl-check-return-value-of-g_tls_bio_alloc.patch b/meta/recipes-core/glib-networking/glib-networking/0002-openssl-check-return-value-of-g_tls_bio_alloc.patch
new file mode 100644 (file)
index 0000000..9c3d19f
--- /dev/null
+++ b/meta/recipes-core/glib-networking/glib-networking/0002-openssl-check-return-value-of-g_tls_bio_alloc.patch
@@ -0,0 +1,42 @@
+From b5a3a8b28b7616403d5454f5f1816c933c34cdac Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 21 Aug 2025 16:58:54 -0500
+Subject: [PATCH 2/3] openssl: check return value of g_tls_bio_alloc()
+
+This function may fail, in which case the parameter remains
+uninitialized. We'd better not dereference it in that case.
+
+CVE: CVE-2025-60019
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlsbio.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tls/openssl/gtlsbio.c b/tls/openssl/gtlsbio.c
+index 0f603fe..1e54943 100644
+--- a/tls/openssl/gtlsbio.c
++++ b/tls/openssl/gtlsbio.c
+@@ -370,7 +370,8 @@ g_tls_bio_new_from_iostream (GIOStream *io_stream)
+   GTlsBio *gbio;
+ 
+   ret = g_tls_bio_alloc (&gbio);
+-  gbio->io_stream = g_object_ref (io_stream);
++  if (ret)
++    gbio->io_stream = g_object_ref (io_stream);
+ 
+   return ret;
+ }
+@@ -382,7 +383,8 @@ g_tls_bio_new_from_datagram_based (GDatagramBased *socket)
+   GTlsBio *gbio;
+ 
+   ret = g_tls_bio_alloc (&gbio);
+-  gbio->socket = g_object_ref (socket);
++  if (ret)
++    gbio->socket = g_object_ref (socket);
+ 
+   return ret;
+ }
+-- 
+2.43.0
+

diff --git a/meta/recipes-core/glib-networking/glib-networking/0003-openssl-check-return-values-of-BIO_new.patch b/meta/recipes-core/glib-networking/glib-networking/0003-openssl-check-return-values-of-BIO_new.patch
new file mode 100644 (file)
index 0000000..1e925da
--- /dev/null
+++ b/meta/recipes-core/glib-networking/glib-networking/0003-openssl-check-return-values-of-BIO_new.patch
@@ -0,0 +1,146 @@
+From 9c22e08b41255543bc15017123ed6c64b97b9b7c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 21 Aug 2025 17:21:01 -0500
+Subject: [PATCH 3/3] openssl: check return values of BIO_new()
+
+We probably need to check even more return values of even more OpenSSL
+functions, but these ones allocate memory and that's particularly
+important to get right.
+
+CVE: CVE-2025-60019
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 42 ++++++++++++++++++++-------
+ 1 file changed, 32 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index b536559..4fa5286 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
++++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -166,6 +166,9 @@ export_privkey_to_der (GTlsCertificateOpenssl  *openssl,
+     goto err;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto err;
++
+   if (i2d_PKCS8_PRIV_KEY_INFO_bio (bio, pkcs8) == 0)
+     goto err;
+ 
+@@ -199,6 +202,9 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+     return NULL;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto out;
++
+   ret = PEM_write_bio_PKCS8PrivateKey (bio, openssl->key, NULL, NULL, 0, NULL, NULL);
+   if (ret == 0)
+     goto out;
+@@ -211,7 +217,7 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+   result = g_strdup (data);
+ 
+ out:
+-  BIO_free_all (bio);
++  g_clear_pointer (&bio, BIO_free_all);
+   return result;
+ }
+ 
+@@ -232,6 +238,9 @@ maybe_import_pkcs12 (GTlsCertificateOpenssl *openssl)
+     return;
+ 
+   bio = BIO_new (BIO_s_mem ());
++  if (!bio)
++    goto import_failed;
++
+   status = BIO_write (bio, openssl->pkcs12_data->data, openssl->pkcs12_data->len);
+   if (status <= 0)
+     goto import_failed;
+@@ -323,7 +332,7 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+   guint8 *data;
+   BIO *bio;
+   GByteArray *byte_array;
+-  char *certificate_pem;
++  const char *certificate_pem;
+   long size;
+ 
+   const ASN1_TIME *time_asn1;
+@@ -362,12 +371,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_CERTIFICATE_PEM:
+       bio = BIO_new (BIO_s_mem ());
+ 
+-      if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
++      if (bio && PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+         {
+           BIO_get_mem_data (bio, &certificate_pem);
+           g_value_set_string (value, certificate_pem);
+         }
+-      BIO_free_all (bio);
++      g_clear_pointer (&bio, BIO_free_all);
+       break;
+ 
+     case PROP_PRIVATE_KEY:
+@@ -407,6 +416,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+ 
+     case PROP_SUBJECT_NAME:
+       bio = BIO_new (BIO_s_mem ());
++      if (!bio)
++        break;
+       name = X509_get_subject_name (openssl->cert);
+       if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+           BIO_write (bio, "\0", 1) != 1)
+@@ -421,6 +432,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+ 
+     case PROP_ISSUER_NAME:
+       bio = BIO_new (BIO_s_mem ());
++      if (!bio)
++        break;
+       name = X509_get_issuer_name (openssl->cert);
+       if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+           BIO_write (bio, "\0", 1) != 1)
+@@ -533,8 +546,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+         break;
+       CRITICAL_IF_CERTIFICATE_INITIALIZED ("certificate-pem");
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->cert)
+         openssl->have_cert = TRUE;
+       else if (!openssl->construct_error)
+@@ -554,8 +570,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+       CRITICAL_IF_KEY_INITIALIZED ("private-key");
+ 
+       bio = BIO_new_mem_buf (bytes->data, bytes->len);
+-      openssl->key = d2i_PrivateKey_bio (bio, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->key = d2i_PrivateKey_bio (bio, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+@@ -575,8 +594,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+       CRITICAL_IF_KEY_INITIALIZED ("private-key-pem");
+ 
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
++      if (bio)
++        {
++          openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
++          BIO_free (bio);
++        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+-- 
+2.43.0
+

diff --git a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
index 8bdbab03a6aef50b61ea27a0a57c903330a7fd31..44e3b0c0b3df155e6f9a448608592fbfcf8cbadc 100644 (file)
--- a/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.80.1.bb
@@ -29,7 +29,10 @@ PACKAGECONFIG[gnomeproxy] = "-Dgnome_proxy=enabled,-Dgnome_proxy=disabled,gsetti
 
 inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome
 
-SRC_URI += "file://run-ptest"
+SRC_URI += "file://0001-openssl-properly-check-return-value-when-writing-to-.patch \
+            file://0002-openssl-check-return-value-of-g_tls_bio_alloc.patch \
+            file://0003-openssl-check-return-values-of-BIO_new.patch \
+            file://run-ptest"
 
 FILES:${PN} += "\
                 ${libdir}/gio/modules/libgio*.so \