From 8c1778b2a87a3962904aa8e166409cde2365e877 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Wed, 22 Oct 2025 17:13:11 +0800 Subject: [PATCH] fix CVE-2025-11677 and CVE-2025-11678 --- 0005-backport-CVE-2025-11677.patch | 156 +++++++++++++++++++++++++++++ 0006-backport-CVE-2025-11678.patch | 123 +++++++++++++++++++++++ libwebsockets.spec | 10 +- 3 files changed, 288 insertions(+), 1 deletion(-) create mode 100644 0005-backport-CVE-2025-11677.patch create mode 100644 0006-backport-CVE-2025-11678.patch diff --git a/0005-backport-CVE-2025-11677.patch b/0005-backport-CVE-2025-11677.patch new file mode 100644 index 0000000..d567fc8 --- /dev/null +++ b/0005-backport-CVE-2025-11677.patch @@ -0,0 +1,156 @@ +From 2f082ec31261f556969160143ba94875d783971a Mon Sep 17 00:00:00 2001 +From: Nozomi Network Labs +Date: Wed, 24 Sep 2025 12:46:24 +0100 +Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library +maintained by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-416: Use After Free | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 6.0 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest +software version of libwebsockets, specifically in the WebSocket server +implementation. + +Depending on the use of the API, the vulnerability may allow an attacker +to read or write data, that could cause a loss of integrity or +availability. + +The issue is caused by the `lws_handshake_protocol` function, specifically +when the upgrade header is not valid, the function calls +`lws_http_transaction_completed`, which frees some of the data in the wsi +structure, then it calls `user_callback_handle_rxflow` passing the up +pointer and uses it on following strcasecmp calls. + +From our understanding, for this vulnerability to have a meaningful +impact, a user that implements the Websocket server, must provide a user +callback function which is going to handle +`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing +operations on the up pointer. + +It is possible to compile the minimal websocket server using address +sanitizer, to quickly verify the use after free. + +From our understanding of the code, if the upgrade header does not match +the intended contents, then the code after the if statement when +`lws_http_transaction_completed` is called, should not be executed, thus +simply enclosing all that code in the else branch solves the issue. +--- + lib/roles/http/server/server.c | 58 +++++++++++++++++----------------- + 1 file changed, 29 insertions(+), 29 deletions(-) + +diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c +index 6b132a4..e6d714e 100644 +--- a/lib/roles/http/server/server.c ++++ b/lib/roles/http/server/server.c +@@ -2375,49 +2375,49 @@ raw_transition: + HTTP_STATUS_FORBIDDEN, NULL) || + lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; +- } +- +- n = user_callback_handle_rxflow(wsi->a.protocol->callback, +- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, +- wsi->user_space, (char *)up, 0); ++ } else { ++ n = user_callback_handle_rxflow(wsi->a.protocol->callback, ++ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, ++ wsi->user_space, (char *)up, 0); + +- /* just hang up? */ ++ /* just hang up? */ + +- if (n < 0) +- goto bail_nuke_ah; ++ if (n < 0) ++ goto bail_nuke_ah; + +- /* callback returned headers already, do t_c? */ ++ /* callback returned headers already, do t_c? */ + +- if (n > 0) { +- if (lws_http_transaction_completed(wsi)) ++ if (n > 0) { ++ if (lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; + +- /* continue on */ ++ /* continue on */ + +- return 0; +- } ++ return 0; ++ } + +- /* callback said 0, it was allowed */ ++ /* callback said 0, it was allowed */ + +- if (wsi->a.vhost->options & +- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && +- lws_confirm_host_header(wsi)) +- goto bail_nuke_ah; ++ if (wsi->a.vhost->options & ++ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && ++ lws_confirm_host_header(wsi)) ++ goto bail_nuke_ah; + +- if (!strcasecmp(up, "websocket")) { ++ if (!strcasecmp(up, "websocket")) { + #if defined(LWS_ROLE_WS) +- lws_metrics_tag_wsi_add(wsi, "upg", "ws"); +- lwsl_info("Upgrade to ws\n"); +- goto upgrade_ws; ++ lws_metrics_tag_wsi_add(wsi, "upg", "ws"); ++ lwsl_info("Upgrade to ws\n"); ++ goto upgrade_ws; + #endif +- } ++ } + #if defined(LWS_WITH_HTTP2) +- if (!strcasecmp(up, "h2c")) { +- lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); +- lwsl_info("Upgrade to h2c\n"); +- goto upgrade_h2c; +- } ++ if (!strcasecmp(up, "h2c")) { ++ lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); ++ lwsl_info("Upgrade to h2c\n"); ++ goto upgrade_h2c; ++ } + #endif ++ } + } + + /* no upgrade ack... he remained as HTTP */ +-- +2.43.0 + diff --git a/0006-backport-CVE-2025-11678.patch b/0006-backport-CVE-2025-11678.patch new file mode 100644 index 0000000..64c0231 --- /dev/null +++ b/0006-backport-CVE-2025-11678.patch @@ -0,0 +1,123 @@ +From 2bb9598562b37c942ba5b04bcde3f7fdf66a9d3a Mon Sep 17 00:00:00 2001 +From: Nozomi Network Labs +Date: Wed, 24 Sep 2025 13:30:38 +0100 +Subject: [PATCH] NN-2025-0103: ADNS crafted response overflow + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library made +by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | Ecostruxure Automation Expert | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-121: Stack-based Buffer Overflow | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 7.5 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +**\** + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" +in the latest software version of libwebsockets, specifically in the +async-dns component. + +The vulnerability allows an attacker that can inspect DNS requests made +by the victim (e.g. being in the same wireless network) to forge a DNS +response packet that overflows the stack and may lead to arbitrary code +execution (depending on the platform and compiler options). + +The issue resides in `lws_adns_parse_label` function in +`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses +a label however it does not correctly check the number of bytes written +in the destination buffer. + +Specifically, the size of the dest output buffer is specified in the `dl` +argument, however during the read of each substring of the label only +the length of the current substring of the label is accounted for not +overflowing the destination buffer, but previous reads are not accounted +for. + +This means that a label of arbitrary size and content can be supplied +and is copied onto the stack, however it must be split into substrings +of size less than `dl`. + +To trigger the vulnerability an attacker must be able to sniff the DNS +request packet to send a response with a matching identifier, otherwise +the implantation correctly ignores the response. + +We have provided a harness for testing, for ease of use copy the harness +in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, +and build it + +``` +cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 +-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns +``` + +Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` + +![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png) + +We suggest keeping track of the number of bytes currently written on the +dest buffer, this could be done by saving the original dest pointer, +decrementing dl on each substring memcpy, or using an auxiliary +variable. +--- + lib/system/async-dns/async-dns-parse.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c +index bdfe205..81743b3 100644 +--- a/lib/system/async-dns/async-dns-parse.c ++++ b/lib/system/async-dns/async-dns-parse.c +@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, int len, const uint8_t *ls, int budget, + const uint8_t *e = pkt + len, *ols = ls; + char pointer = 0, first = 1; + uint8_t ll; +- int n; ++ int n, readsize = 0; + + if (budget < 1) + return 0; +@@ -88,7 +88,7 @@ again1: + return -1; + } + +- if ((unsigned int)ll + 2 > dl) { ++ if ((unsigned int)(ll + 2 + readsize) > dl) { + lwsl_notice("%s: qname too large\n", __func__); + + return -1; +@@ -101,6 +101,7 @@ again1: + (*dest)[ll + 1] = '\0'; + *dest += ll + 1; + ls += ll; ++ readsize += ll + 1; + + if (pointer) { + if (*ls) +-- +2.43.0 + diff --git a/libwebsockets.spec b/libwebsockets.spec index 0fc880b..e29aedd 100644 --- a/libwebsockets.spec +++ b/libwebsockets.spec @@ -1,6 +1,6 @@ Name: libwebsockets Version: 4.3.3 -Release: 4 +Release: 5 Summary: A lightweight C library for Websockets License: LGPLv2 and Public Domain and BSD and MIT and zlib URL: https://libwebsockets.org @@ -10,6 +10,8 @@ Patch9001: 0001-add-secure-compile-option-in-Makefile.patch Patch9002: 0002-solve-the-BEP-problem.patch Patch9003: 0003-client-hs-fix-segmentation-fault.patch Patch9004: 0004-fix-the-politically-sensitive-words.patch +Patch9005: 0005-backport-CVE-2025-11677.patch +Patch9006: 0006-backport-CVE-2025-11678.patch BuildRequires: cmake openssl-devel zlib-devel libev-devel gcc gcc-c++ @@ -90,6 +92,12 @@ find %{buildroot} -name '*_static.pc' -exec rm -f {} ';' %doc changelog README.md READMEs/ %changelog +* Wed Oct 22 2025 dongyuzhen - 4.3.3-5 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix CVE-2025-11677 and CVE-2025-11678 + * Tue Aug 12 2025 xiaoyuliang - 4.3.3-4 - Type:bugfix - ID:NA -- Gitee