Bug#1120129: trixie-pu: package libwebsockets/4.3.5-1+deb13u1
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libwebsockets@packages.debian.org, gcs@debian.org
Control: affects -1 + src:libwebsockets
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes two low severity security issues, acked by the maintainer
and tests run via debusine were all fine.
Cheers,
Moritz
diff -Nru libwebsockets-4.3.5/debian/changelog libwebsockets-4.3.5/debian/changelog
--- libwebsockets-4.3.5/debian/changelog 2025-03-08 16:27:20.000000000 +0100
+++ libwebsockets-4.3.5/debian/changelog 2025-11-04 00:02:18.000000000 +0100
@@ -1,3 +1,10 @@
+libwebsockets (4.3.5-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2025-11677 (Closes: #1118747)
+ * CVE-2025-11678 (Closes: #1118746)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Tue, 04 Nov 2025 00:02:18 +0100
+
libwebsockets (4.3.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch
--- libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch 1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch 2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,148 @@
+Author: Nozomi Network Labs <labs-advisory@nozominetworks.com>
+Date: Wed Sep 24 12:46:24 2025 +0100
+
+NN-2025-0102: UAF depending on upgrade allowed
+
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library
+maintained by Andy Green (warmcat).
+
++-------------------------------------------------------------------------------------------------------+
+| Report information |
++:===================================:+:===============================================================:+
+| Vendor | warmcat |
++-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL | https://libwebsockets.org/git/libwebsockets |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected component | libwebsockets |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected version | 4.4 |
++-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability | CWE-416: Use After Free |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score | 6.0 |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
++-------------------------------------+-----------------------------------------------------------------+
+
++-----------------------------------------------------------------------------+
+| Security Researcher(s) |
++:===================================:+:=====================================:+
+| Name | **Email address** |
++-------------------------------------+---------------------------------------+
+| Raffaele Bova | labs-advisory@nozominetworks.com |
++-------------------------------------+---------------------------------------+
+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+
+Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
+software version of libwebsockets, specifically in the WebSocket server
+implementation.
+
+Depending on the use of the API, the vulnerability may allow an attacker
+to read or write data, that could cause a loss of integrity or
+availability.
+
+The issue is caused by the `lws_handshake_protocol` function, specifically
+when the upgrade header is not valid, the function calls
+`lws_http_transaction_completed`, which frees some of the data in the wsi
+structure, then it calls `user_callback_handle_rxflow` passing the up
+pointer and uses it on following strcasecmp calls.
+
+From our understanding, for this vulnerability to have a meaningful
+impact, a user that implements the Websocket server, must provide a user
+callback function which is going to handle
+`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
+operations on the up pointer.
+
+It is possible to compile the minimal websocket server using address
+sanitizer, to quickly verify the use after free.
+
+From our understanding of the code, if the upgrade header does not match
+the intended contents, then the code after the if statement when
+`lws_http_transaction_completed` is called, should not be executed, thus
+simply enclosing all that code in the else branch solves the issue.
+
+--- libwebsockets-4.3.5.orig/lib/roles/http/server/server.c
++++ libwebsockets-4.3.5/lib/roles/http/server/server.c
+@@ -2377,49 +2377,49 @@ raw_transition:
+ HTTP_STATUS_FORBIDDEN, NULL) ||
+ lws_http_transaction_completed(wsi))
+ goto bail_nuke_ah;
+- }
+-
+- n = user_callback_handle_rxflow(wsi->a.protocol->callback,
+- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
+- wsi->user_space, (char *)up, 0);
++ } else {
++ n = user_callback_handle_rxflow(wsi->a.protocol->callback,
++ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
++ wsi->user_space, (char *)up, 0);
+
+- /* just hang up? */
++ /* just hang up? */
+
+- if (n < 0)
+- goto bail_nuke_ah;
++ if (n < 0)
++ goto bail_nuke_ah;
+
+- /* callback returned headers already, do t_c? */
++ /* callback returned headers already, do t_c? */
+
+- if (n > 0) {
+- if (lws_http_transaction_completed(wsi))
++ if (n > 0) {
++ if (lws_http_transaction_completed(wsi))
+ goto bail_nuke_ah;
+
+- /* continue on */
++ /* continue on */
+
+- return 0;
+- }
++ return 0;
++ }
+
+- /* callback said 0, it was allowed */
++ /* callback said 0, it was allowed */
+
+- if (wsi->a.vhost->options &
+- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
+- lws_confirm_host_header(wsi))
+- goto bail_nuke_ah;
++ if (wsi->a.vhost->options &
++ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
++ lws_confirm_host_header(wsi))
++ goto bail_nuke_ah;
+
+- if (!strcasecmp(up, "websocket")) {
++ if (!strcasecmp(up, "websocket")) {
+ #if defined(LWS_ROLE_WS)
+- lws_metrics_tag_wsi_add(wsi, "upg", "ws");
+- lwsl_info("Upgrade to ws\n");
+- goto upgrade_ws;
++ lws_metrics_tag_wsi_add(wsi, "upg", "ws");
++ lwsl_info("Upgrade to ws\n");
++ goto upgrade_ws;
+ #endif
+- }
++ }
+ #if defined(LWS_WITH_HTTP2)
+- if (!strcasecmp(up, "h2c")) {
+- lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
+- lwsl_info("Upgrade to h2c\n");
+- goto upgrade_h2c;
+- }
++ if (!strcasecmp(up, "h2c")) {
++ lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
++ lwsl_info("Upgrade to h2c\n");
++ goto upgrade_h2c;
++ }
+ #endif
++ }
+ }
+
+ /* no upgrade ack... he remained as HTTP */
diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch
--- libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch 1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch 2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,115 @@
+Author: Nozomi Network Labs <labs-advisory@nozominetworks.com>
+Date: Wed Sep 24 13:30:38 2025 +0100
+
+NN-2025-0103: ADNS crafted response overflow
+
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library made
+by Andy Green (warmcat).
+
++-------------------------------------------------------------------------------------------------------+
+| Report information |
++:===================================:+:===============================================================:+
+| Vendor | warmcat |
++-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL | https://libwebsockets.org/git/libwebsockets |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected component | Ecostruxure Automation Expert |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected version | 4.4 |
++-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability | CWE-121: Stack-based Buffer Overflow |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score | 7.5 |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
++-------------------------------------+-----------------------------------------------------------------+
+
++-----------------------------------------------------------------------------+
+| Security Researcher(s) |
++:===================================:+:=====================================:+
+| Name | **Email address** |
++-------------------------------------+---------------------------------------+
+| Raffaele Bova | labs-advisory@nozominetworks.com |
++-------------------------------------+---------------------------------------+
+
+**\**
+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+
+Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow"
+in the latest software version of libwebsockets, specifically in the
+async-dns component.
+
+The vulnerability allows an attacker that can inspect DNS requests made
+by the victim (e.g. being in the same wireless network) to forge a DNS
+response packet that overflows the stack and may lead to arbitrary code
+execution (depending on the platform and compiler options).
+
+The issue resides in `lws_adns_parse_label` function in
+`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses
+a label however it does not correctly check the number of bytes written
+in the destination buffer.
+
+Specifically, the size of the dest output buffer is specified in the `dl`
+argument, however during the read of each substring of the label only
+the length of the current substring of the label is accounted for not
+overflowing the destination buffer, but previous reads are not accounted
+for.
+
+This means that a label of arbitrary size and content can be supplied
+and is copied onto the stack, however it must be split into substrings
+of size less than `dl`.
+
+To trigger the vulnerability an attacker must be able to sniff the DNS
+request packet to send a response with a matching identifier, otherwise
+the implantation correctly ignores the response.
+
+We have provided a harness for testing, for ease of use copy the harness
+in a subdirectory, for example in minimal-examples-lowlevel/api-tests/,
+and build it
+
+```
+cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0
+-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns
+```
+
+Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof`
+
+
+
+We suggest keeping track of the number of bytes currently written on the
+dest buffer, this could be done by saving the original dest pointer,
+decrementing dl on each substring memcpy, or using an auxiliary
+variable.
+
+--- libwebsockets-4.3.5.orig/lib/system/async-dns/async-dns-parse.c
++++ libwebsockets-4.3.5/lib/system/async-dns/async-dns-parse.c
+@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt,
+ const uint8_t *e = pkt + len, *ols = ls;
+ char pointer = 0, first = 1;
+ uint8_t ll;
+- int n;
++ int n, readsize = 0;
+
+ if (budget < 1)
+ return 0;
+@@ -88,7 +88,7 @@ again1:
+ return -1;
+ }
+
+- if ((unsigned int)ll + 2 > dl) {
++ if ((unsigned int)(ll + 2 + readsize) > dl) {
+ lwsl_notice("%s: qname too large\n", __func__);
+
+ return -1;
+@@ -101,6 +101,7 @@ again1:
+ (*dest)[ll + 1] = '\0';
+ *dest += ll + 1;
+ ls += ll;
++ readsize += ll + 1;
+
+ if (pointer) {
+ if (*ls)
diff -Nru libwebsockets-4.3.5/debian/patches/series libwebsockets-4.3.5/debian/patches/series
--- libwebsockets-4.3.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/series 2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2025-11677.patch
+CVE-2025-11678.patch
Reply to: