[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1120129: marked as done (trixie-pu: package libwebsockets/4.3.5-1+deb13u1)

Your message dated Sat, 15 Nov 2025 11:21:45 +0000
with message-id <736c7150dc08501cc89945035c406eaf9688e144.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 13.2
has caused the Debian Bug report #1120129,
regarding trixie-pu: package libwebsockets/4.3.5-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1120129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120129
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libwebsockets@packages.debian.org, gcs@debian.org
Control: affects -1 + src:libwebsockets
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes two low severity security issues, acked by the maintainer
and tests run via debusine were all fine.

Cheers,
        Moritz

diff -Nru libwebsockets-4.3.5/debian/changelog libwebsockets-4.3.5/debian/changelog
--- libwebsockets-4.3.5/debian/changelog	2025-03-08 16:27:20.000000000 +0100
+++ libwebsockets-4.3.5/debian/changelog	2025-11-04 00:02:18.000000000 +0100
@@ -1,3 +1,10 @@
+libwebsockets (4.3.5-1+deb13u1) trixie; urgency=medium
+
+  * CVE-2025-11677 (Closes: #1118747)
+  * CVE-2025-11678 (Closes: #1118746)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 04 Nov 2025 00:02:18 +0100
+
 libwebsockets (4.3.5-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch
--- libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch	1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch	2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,148 @@
+Author: Nozomi Network Labs <labs-advisory@nozominetworks.com>
+Date: Wed Sep 24 12:46:24 2025 +0100
+
+NN-2025-0102: UAF depending on upgrade allowed
+
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library
+maintained by Andy Green (warmcat).
+
++-------------------------------------------------------------------------------------------------------+
+| Report information                                                                                    |
++:===================================:+:===============================================================:+
+| Vendor                              | warmcat                                                         |
++-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL                          | https://libwebsockets.org/git/libwebsockets                     |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected component                  | libwebsockets                                                   |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected version                    | 4.4                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability                       | CWE-416: Use After Free                                         |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score       | 6.0                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector           | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
++-------------------------------------+-----------------------------------------------------------------+
+
++-----------------------------------------------------------------------------+
+| Security Researcher(s)                                                      |
++:===================================:+:=====================================:+
+| Name                                | **Email address**                     |
++-------------------------------------+---------------------------------------+
+| Raffaele Bova                       | labs-advisory@nozominetworks.com      |
++-------------------------------------+---------------------------------------+
+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+
+Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
+software version of libwebsockets, specifically in the WebSocket server
+implementation.
+
+Depending on the use of the API, the vulnerability may allow an attacker
+to read or write data, that could cause a loss of integrity or
+availability.
+
+The issue is caused by the `lws_handshake_protocol` function, specifically
+when the upgrade header is not valid, the function calls
+`lws_http_transaction_completed`, which frees some of the data in the wsi
+structure, then it calls `user_callback_handle_rxflow` passing the up
+pointer and uses it on following strcasecmp calls.
+
+From our understanding, for this vulnerability to have a meaningful
+impact, a user that implements the Websocket server, must provide a user
+callback function which is going to handle
+`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
+operations on the up pointer.
+
+It is possible to compile the minimal websocket server using address
+sanitizer, to quickly verify the use after free.
+
+From our understanding of the code, if the upgrade header does not match
+the intended contents, then the code after the if statement when
+`lws_http_transaction_completed` is called, should not be executed, thus
+simply enclosing all that code in the else branch solves the issue.
+
+--- libwebsockets-4.3.5.orig/lib/roles/http/server/server.c
++++ libwebsockets-4.3.5/lib/roles/http/server/server.c
+@@ -2377,49 +2377,49 @@ raw_transition:
+ 						HTTP_STATUS_FORBIDDEN, NULL) ||
+ 				    lws_http_transaction_completed(wsi))
+ 					goto bail_nuke_ah;
+-			}
+-
+-			n = user_callback_handle_rxflow(wsi->a.protocol->callback,
+-					wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
+-					wsi->user_space, (char *)up, 0);
++			} else {
++				n = user_callback_handle_rxflow(wsi->a.protocol->callback,
++						wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
++						wsi->user_space, (char *)up, 0);
+ 
+-			/* just hang up? */
++				/* just hang up? */
+ 
+-			if (n < 0)
+-				goto bail_nuke_ah;
++				if (n < 0)
++					goto bail_nuke_ah;
+ 
+-			/* callback returned headers already, do t_c? */
++				/* callback returned headers already, do t_c? */
+ 
+-			if (n > 0) {
+-				if (lws_http_transaction_completed(wsi))
++				if (n > 0) {
++				    if (lws_http_transaction_completed(wsi))
+ 					goto bail_nuke_ah;
+ 
+-				/* continue on */
++				    /* continue on */
+ 
+-				return 0;
+-			}
++				    return 0;
++				}
+ 
+-			/* callback said 0, it was allowed */
++				/* callback said 0, it was allowed */
+ 
+-			if (wsi->a.vhost->options &
+-			    LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
+-			    lws_confirm_host_header(wsi))
+-				goto bail_nuke_ah;
++				if (wsi->a.vhost->options &
++					LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
++					lws_confirm_host_header(wsi))
++				    goto bail_nuke_ah;
+ 
+-			if (!strcasecmp(up, "websocket")) {
++				if (!strcasecmp(up, "websocket")) {
+ #if defined(LWS_ROLE_WS)
+-				lws_metrics_tag_wsi_add(wsi, "upg", "ws");
+-				lwsl_info("Upgrade to ws\n");
+-				goto upgrade_ws;
++					lws_metrics_tag_wsi_add(wsi, "upg", "ws");
++					lwsl_info("Upgrade to ws\n");
++					goto upgrade_ws;
+ #endif
+-			}
++				}
+ #if defined(LWS_WITH_HTTP2)
+-			if (!strcasecmp(up, "h2c")) {
+-				lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
+-				lwsl_info("Upgrade to h2c\n");
+-				goto upgrade_h2c;
+-			}
++				if (!strcasecmp(up, "h2c")) {
++				    lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
++				    lwsl_info("Upgrade to h2c\n");
++				    goto upgrade_h2c;
++				}
+ #endif
++			}
+ 		}
+ 
+ 		/* no upgrade ack... he remained as HTTP */
diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch
--- libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch	1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch	2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,115 @@
+Author: Nozomi Network Labs <labs-advisory@nozominetworks.com>
+Date: Wed Sep 24 13:30:38 2025 +0100
+
+NN-2025-0103: ADNS crafted response overflow
+
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library made
+by Andy Green (warmcat).
+
++-------------------------------------------------------------------------------------------------------+
+| Report information                                                                                    |
++:===================================:+:===============================================================:+
+| Vendor                              | warmcat                                                         |
++-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL                          | https://libwebsockets.org/git/libwebsockets                     |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected component                  | Ecostruxure Automation Expert                                   |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected version                    | 4.4                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability                       | CWE-121: Stack-based Buffer Overflow                            |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score       | 7.5                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector           | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
++-------------------------------------+-----------------------------------------------------------------+
+
++-----------------------------------------------------------------------------+
+| Security Researcher(s)                                                      |
++:===================================:+:=====================================:+
+| Name                                | **Email address**                     |
++-------------------------------------+---------------------------------------+
+| Raffaele Bova                       | labs-advisory@nozominetworks.com      |
++-------------------------------------+---------------------------------------+
+
+**\**
+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+
+Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow"
+in the latest software version of libwebsockets, specifically in the
+async-dns component.
+
+The vulnerability allows an attacker that can inspect DNS requests made
+by the victim (e.g. being in the same wireless network) to forge a DNS
+response packet that overflows the stack and may lead to arbitrary code
+execution (depending on the platform and compiler options).
+
+The issue resides in `lws_adns_parse_label` function in
+`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses
+a label however it does not correctly check the number of bytes written
+in the destination buffer.
+
+Specifically, the size of the dest output buffer is specified in the `dl`
+argument, however during the read of each substring of the label only
+the length of the current substring of the label is accounted for not
+overflowing the destination buffer, but previous reads are not accounted
+for.
+
+This means that a label of arbitrary size and content can be supplied
+and is copied onto the stack, however it must be split into substrings
+of size less than `dl`.
+
+To trigger the vulnerability an attacker must be able to sniff the DNS
+request packet to send a response with a matching identifier, otherwise
+the implantation correctly ignores the response.
+
+We have provided a harness for testing, for ease of use copy the harness
+in a subdirectory, for example in minimal-examples-lowlevel/api-tests/,
+and build it
+
+```
+cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0
+-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns
+```
+
+Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof`
+
+![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png)
+
+We suggest keeping track of the number of bytes currently written on the
+dest buffer, this could be done by saving the original dest pointer,
+decrementing dl on each substring memcpy, or using an auxiliary
+variable.
+
+--- libwebsockets-4.3.5.orig/lib/system/async-dns/async-dns-parse.c
++++ libwebsockets-4.3.5/lib/system/async-dns/async-dns-parse.c
+@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt,
+ 	const uint8_t *e = pkt + len, *ols = ls;
+ 	char pointer = 0, first = 1;
+ 	uint8_t ll;
+-	int n;
++	int n, readsize = 0;
+ 
+ 	if (budget < 1)
+ 		return 0;
+@@ -88,7 +88,7 @@ again1:
+ 		return -1;
+ 	}
+ 
+-	if ((unsigned int)ll + 2 > dl) {
++	if ((unsigned int)(ll + 2 + readsize) > dl) {
+ 		lwsl_notice("%s: qname too large\n", __func__);
+ 
+ 		return -1;
+@@ -101,6 +101,7 @@ again1:
+ 	(*dest)[ll + 1] = '\0';
+ 	*dest += ll + 1;
+ 	ls += ll;
++	readsize += ll + 1;
+ 
+ 	if (pointer) {
+ 		if (*ls)
diff -Nru libwebsockets-4.3.5/debian/patches/series libwebsockets-4.3.5/debian/patches/series
--- libwebsockets-4.3.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libwebsockets-4.3.5/debian/patches/series	2025-11-04 00:02:18.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2025-11677.patch
+CVE-2025-11678.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 13.2

Hi,

The updates referenced in each of these bugs were included in today's
13.2 trixie point release.

Regards,

Adam

--- End Message ---
Reply to: