From 3c2074cd839feafb30cff34e43978207b58932f6 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Mon, 15 Jun 2026 07:04:44 +0000 Subject: [PATCH 1/2] Patch edk2 for CVE-2026-34182 --- SPECS/edk2/CVE-2026-34182.patch | 51 +++++++++++++++++++++++++++++++++ SPECS/edk2/edk2.spec | 6 +++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 SPECS/edk2/CVE-2026-34182.patch diff --git a/SPECS/edk2/CVE-2026-34182.patch b/SPECS/edk2/CVE-2026-34182.patch new file mode 100644 index 00000000000..a0cae54d902 --- /dev/null +++ b/SPECS/edk2/CVE-2026-34182.patch @@ -0,0 +1,51 @@ +From 4719b3d0c6e241c8b65ca77cd2e6971b8e39ffb4 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 15 Jun 2026 06:57:10 +0000 +Subject: [PATCH] Reject potentially forged encrypted CMS AuthEnvelopedData + messages + +Signed-off-by: rpm-build +Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7.patch +--- + .../Library/OpensslLib/openssl/crypto/cms/cms_enc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c +index a3909ba..3da0a96 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c +@@ -37,10 +37,12 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + size_t tkeylen = 0; + int ok = 0; + int enc, keep_key = 0; ++ int auth = ec->havenocert == 1; + OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(cms_ctx); + const char *propq = ossl_cms_ctx_get0_propq(cms_ctx); + + enc = ec->cipher ? 1 : 0; ++ auth |= (OBJ_obj2nid(ec->contentType) == NID_id_smime_ct_authEnvelopedData); + + b = BIO_new(BIO_f_cipher()); + if (b == NULL) { +@@ -100,12 +102,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + } + if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { + piv = aparams.iv; +- if (ec->taglen > 0 +- && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, +- ec->taglen, ec->tag) <= 0) { ++ ++ if (ec->taglen < 4 || ec->taglen > 16 ++ || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, (int)ec->taglen, ec->tag) <= 0) { + ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_SET_TAG_ERROR); + goto err; + } ++ } else if (auth) { ++ ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM); ++ goto err; + } + } + len = EVP_CIPHER_CTX_get_key_length(ctx); +-- +2.45.4 + diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec index 3f2dfe618ca..09fd7186dde 100644 --- a/SPECS/edk2/edk2.spec +++ b/SPECS/edk2/edk2.spec @@ -56,7 +56,7 @@ Distribution: Azure Linux Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 17%{?dist} +Release: 18%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain URL: https://www.tianocore.org @@ -152,6 +152,7 @@ Patch1014: CVE-2026-22796.patch Patch1015: CVE-2025-69419.patch Patch1016: CVE-2026-28389.patch Patch1017: CVE-2026-28390.patch +Patch1018: CVE-2026-34182.patch # python3-devel and libuuid-devel are required for building tools. # python3-devel is also needed for varstore template generation and @@ -799,6 +800,9 @@ done %endif %changelog +* Mon Jun 15 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-18 +- Patch for CVE-2026-34182 + * Wed May 06 2026 Sumedh Sharma - 20240524git3e722403cd16-17 - Enable build_aarch64 to build arm64 firmware bins - Disable OVMF compilation on aarch64 hosts due to missing cross gcc-x86_64-linux-gnu From b7c81988963e1e843a851e5e96be250d910e233a Mon Sep 17 00:00:00 2001 From: Aditya Singh Date: Mon, 15 Jun 2026 10:16:49 +0000 Subject: [PATCH 2/2] Updated Patch for CVE-2026-34182 and updated edk2-hvloader-signed spec --- .../edk2-hvloader-signed.spec | 5 +- SPECS/edk2/CVE-2026-34182.patch | 88 +++++++++++++++---- 2 files changed, 76 insertions(+), 17 deletions(-) diff --git a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec index ec98ea66e73..a1412372eee 100644 --- a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec +++ b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec @@ -11,7 +11,7 @@ Summary: Signed HvLoader.efi for %{buildarch} systems Name: edk2-hvloader-signed-%{buildarch} Version: %{GITDATE}git%{GITCOMMIT} -Release: 17%{?dist} +Release: 18%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -74,6 +74,9 @@ popd /boot/efi/HvLoader.efi %changelog +* Mon Jun 15 2026 Azure Linux Security Servicing Account - 20240524git3e722403cd16-18 +- Bump release for consistency with edk2 spec. + * Wed May 06 2026 Sumedh Sharma - 20240524git3e722403cd16-17 - Bump release for consistency with edk2 spec. diff --git a/SPECS/edk2/CVE-2026-34182.patch b/SPECS/edk2/CVE-2026-34182.patch index a0cae54d902..40f5ed9220f 100644 --- a/SPECS/edk2/CVE-2026-34182.patch +++ b/SPECS/edk2/CVE-2026-34182.patch @@ -7,29 +7,33 @@ Subject: [PATCH] Reject potentially forged encrypted CMS AuthEnvelopedData Signed-off-by: rpm-build Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/7947e6a81eb8776802f159fb6762cb7fcf7e34c7.patch --- - .../Library/OpensslLib/openssl/crypto/cms/cms_enc.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) + .../OpensslLib/openssl/crypto/cms/cms_enc.c | 18 +++++++++++++----- + .../OpensslLib/openssl/crypto/cms/cms_env.c | 7 ++++--- + .../OpensslLib/openssl/crypto/cms/cms_local.h | 2 +- + 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c -index a3909ba..3da0a96 100644 +index a3909ba..64f7389 100644 --- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c +++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_enc.c -@@ -37,10 +37,12 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, - size_t tkeylen = 0; - int ok = 0; - int enc, keep_key = 0; -+ int auth = ec->havenocert == 1; - OSSL_LIB_CTX *libctx = ossl_cms_ctx_get0_libctx(cms_ctx); - const char *propq = ossl_cms_ctx_get0_propq(cms_ctx); +@@ -22,7 +22,8 @@ + /* Return BIO based on EncryptedContentInfo and key */ - enc = ec->cipher ? 1 : 0; -+ auth |= (OBJ_obj2nid(ec->contentType) == NID_id_smime_ct_authEnvelopedData); - - b = BIO_new(BIO_f_cipher()); - if (b == NULL) { -@@ -100,12 +102,15 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, +- const CMS_CTX *cms_ctx) ++ const CMS_CTX *cms_ctx, ++ int auth) + { + BIO *b; + EVP_CIPHER_CTX *ctx; +@@ -99,13 +100,20 @@ BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, + goto err; } if ((EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { ++ if (!auth) { ++ ERR_raise(ERR_LIB_CMS, CMS_R_CIPHER_AEAD_IN_ENVELOPED_DATA); ++ goto err; ++ } piv = aparams.iv; - if (ec->taglen > 0 - && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, @@ -46,6 +50,58 @@ index a3909ba..3da0a96 100644 } } len = EVP_CIPHER_CTX_get_key_length(ctx); +@@ -250,5 +258,5 @@ BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms) + if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) + enc->version = 2; + return ossl_cms_EncryptedContent_init_bio(enc->encryptedContentInfo, +- ossl_cms_get0_cmsctx(cms)); ++ ossl_cms_get0_cmsctx(cms), 0); + } +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c +index 156a3f7..cb11d8c 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_env.c +@@ -1111,7 +1111,8 @@ static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms) + { + CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo; + BIO *contentBio = ossl_cms_EncryptedContent_init_bio(ec, +- ossl_cms_get0_cmsctx(cms)); ++ ossl_cms_get0_cmsctx(cms), ++ 0); + EVP_CIPHER_CTX *ctx = NULL; + + if (contentBio == NULL) +@@ -1147,7 +1148,7 @@ static BIO *cms_EnvelopedData_Encryption_init_bio(CMS_ContentInfo *cms) + /* Get BIO first to set up key */ + + ec = env->encryptedContentInfo; +- ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); ++ ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 0); + + /* If error end of processing */ + if (!ret) +@@ -1199,7 +1200,7 @@ BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms) + ec->tag = aenv->mac->data; + ec->taglen = aenv->mac->length; + } +- ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms)); ++ ret = ossl_cms_EncryptedContent_init_bio(ec, ossl_cms_get0_cmsctx(cms), 1); + + /* If error or no cipher end of processing */ + if (ret == NULL || ec->cipher == NULL) +diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h +index 15b4a29..6f6f954 100644 +--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h ++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/cms/cms_local.h +@@ -429,7 +429,7 @@ int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); + int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); + + BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, +- const CMS_CTX *ctx); ++ const CMS_CTX *ctx, int auth); + BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); + int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, -- 2.45.4