Version in base suite: 4.3.5-1 Base version: libwebsockets_4.3.5-1 Target version: libwebsockets_4.3.5-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libw/libwebsockets/libwebsockets_4.3.5-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libw/libwebsockets/libwebsockets_4.3.5-1+deb13u1.dsc changelog | 7 ++ patches/CVE-2025-11677.patch | 148 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-11678.patch | 115 +++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 272 insertions(+) gpgv: Signature made Wed Nov 5 19:19:42 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp9wn1r1of/libwebsockets_4.3.5-1+deb13u1.dsc: no acceptable signature found diff -Nru libwebsockets-4.3.5/debian/changelog libwebsockets-4.3.5/debian/changelog --- libwebsockets-4.3.5/debian/changelog 2025-03-08 15:27:20.000000000 +0000 +++ libwebsockets-4.3.5/debian/changelog 2025-11-03 23:02:18.000000000 +0000 @@ -1,3 +1,10 @@ +libwebsockets (4.3.5-1+deb13u1) trixie; urgency=medium + + * CVE-2025-11677 (Closes: #1118747) + * CVE-2025-11678 (Closes: #1118746) + + -- Moritz Mühlenhoff Tue, 04 Nov 2025 00:02:18 +0100 + libwebsockets (4.3.5-1) unstable; urgency=medium * New upstream release. diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch --- libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch 1970-01-01 00:00:00.000000000 +0000 +++ libwebsockets-4.3.5/debian/patches/CVE-2025-11677.patch 2025-11-03 23:02:18.000000000 +0000 @@ -0,0 +1,148 @@ +Author: Nozomi Network Labs +Date: Wed Sep 24 12:46:24 2025 +0100 + +NN-2025-0102: UAF depending on upgrade allowed + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library +maintained by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-416: Use After Free | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 6.0 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest +software version of libwebsockets, specifically in the WebSocket server +implementation. + +Depending on the use of the API, the vulnerability may allow an attacker +to read or write data, that could cause a loss of integrity or +availability. + +The issue is caused by the `lws_handshake_protocol` function, specifically +when the upgrade header is not valid, the function calls +`lws_http_transaction_completed`, which frees some of the data in the wsi +structure, then it calls `user_callback_handle_rxflow` passing the up +pointer and uses it on following strcasecmp calls. + +From our understanding, for this vulnerability to have a meaningful +impact, a user that implements the Websocket server, must provide a user +callback function which is going to handle +`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing +operations on the up pointer. + +It is possible to compile the minimal websocket server using address +sanitizer, to quickly verify the use after free. + +From our understanding of the code, if the upgrade header does not match +the intended contents, then the code after the if statement when +`lws_http_transaction_completed` is called, should not be executed, thus +simply enclosing all that code in the else branch solves the issue. + +--- libwebsockets-4.3.5.orig/lib/roles/http/server/server.c ++++ libwebsockets-4.3.5/lib/roles/http/server/server.c +@@ -2377,49 +2377,49 @@ raw_transition: + HTTP_STATUS_FORBIDDEN, NULL) || + lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; +- } +- +- n = user_callback_handle_rxflow(wsi->a.protocol->callback, +- wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, +- wsi->user_space, (char *)up, 0); ++ } else { ++ n = user_callback_handle_rxflow(wsi->a.protocol->callback, ++ wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE, ++ wsi->user_space, (char *)up, 0); + +- /* just hang up? */ ++ /* just hang up? */ + +- if (n < 0) +- goto bail_nuke_ah; ++ if (n < 0) ++ goto bail_nuke_ah; + +- /* callback returned headers already, do t_c? */ ++ /* callback returned headers already, do t_c? */ + +- if (n > 0) { +- if (lws_http_transaction_completed(wsi)) ++ if (n > 0) { ++ if (lws_http_transaction_completed(wsi)) + goto bail_nuke_ah; + +- /* continue on */ ++ /* continue on */ + +- return 0; +- } ++ return 0; ++ } + +- /* callback said 0, it was allowed */ ++ /* callback said 0, it was allowed */ + +- if (wsi->a.vhost->options & +- LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && +- lws_confirm_host_header(wsi)) +- goto bail_nuke_ah; ++ if (wsi->a.vhost->options & ++ LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK && ++ lws_confirm_host_header(wsi)) ++ goto bail_nuke_ah; + +- if (!strcasecmp(up, "websocket")) { ++ if (!strcasecmp(up, "websocket")) { + #if defined(LWS_ROLE_WS) +- lws_metrics_tag_wsi_add(wsi, "upg", "ws"); +- lwsl_info("Upgrade to ws\n"); +- goto upgrade_ws; ++ lws_metrics_tag_wsi_add(wsi, "upg", "ws"); ++ lwsl_info("Upgrade to ws\n"); ++ goto upgrade_ws; + #endif +- } ++ } + #if defined(LWS_WITH_HTTP2) +- if (!strcasecmp(up, "h2c")) { +- lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); +- lwsl_info("Upgrade to h2c\n"); +- goto upgrade_h2c; +- } ++ if (!strcasecmp(up, "h2c")) { ++ lws_metrics_tag_wsi_add(wsi, "upg", "h2c"); ++ lwsl_info("Upgrade to h2c\n"); ++ goto upgrade_h2c; ++ } + #endif ++ } + } + + /* no upgrade ack... he remained as HTTP */ diff -Nru libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch --- libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch 1970-01-01 00:00:00.000000000 +0000 +++ libwebsockets-4.3.5/debian/patches/CVE-2025-11678.patch 2025-11-03 23:02:18.000000000 +0000 @@ -0,0 +1,115 @@ +Author: Nozomi Network Labs +Date: Wed Sep 24 13:30:38 2025 +0100 + +NN-2025-0103: ADNS crafted response overflow + +This document contains sensitive information collected during our +security research activities related with the Libwebsockets library made +by Andy Green (warmcat). + ++-------------------------------------------------------------------------------------------------------+ +| Report information | ++:===================================:+:===============================================================:+ +| Vendor | warmcat | ++-------------------------------------+-----------------------------------------------------------------+ +| Vendor URL | https://libwebsockets.org/git/libwebsockets | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected component | Ecostruxure Automation Expert | ++-------------------------------------+-----------------------------------------------------------------+ +| Affected version | 4.4 | ++-------------------------------------+-----------------------------------------------------------------+ +| Vulnerability | CWE-121: Stack-based Buffer Overflow | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Base Score | 7.5 | ++-------------------------------------+-----------------------------------------------------------------+ +| Proposed CVSS v3.1 Vector | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | ++-------------------------------------+-----------------------------------------------------------------+ + ++-----------------------------------------------------------------------------+ +| Security Researcher(s) | ++:===================================:+:=====================================:+ +| Name | **Email address** | ++-------------------------------------+---------------------------------------+ +| Raffaele Bova | labs-advisory@nozominetworks.com | ++-------------------------------------+---------------------------------------+ + +**\** + +Libwebsockes is a C library that provides client and server +implementation for various protocols (e.g., HTTP, websockets, MQTT) and +more. + +Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" +in the latest software version of libwebsockets, specifically in the +async-dns component. + +The vulnerability allows an attacker that can inspect DNS requests made +by the victim (e.g. being in the same wireless network) to forge a DNS +response packet that overflows the stack and may lead to arbitrary code +execution (depending on the platform and compiler options). + +The issue resides in `lws_adns_parse_label` function in +`lib/system/async-dns/async-dns-parse.c`; this function iteratively parses +a label however it does not correctly check the number of bytes written +in the destination buffer. + +Specifically, the size of the dest output buffer is specified in the `dl` +argument, however during the read of each substring of the label only +the length of the current substring of the label is accounted for not +overflowing the destination buffer, but previous reads are not accounted +for. + +This means that a label of arbitrary size and content can be supplied +and is copied onto the stack, however it must be split into substrings +of size less than `dl`. + +To trigger the vulnerability an attacker must be able to sniff the DNS +request packet to send a response with a matching identifier, otherwise +the implantation correctly ignores the response. + +We have provided a harness for testing, for ease of use copy the harness +in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, +and build it + +``` +cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 +-DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns +``` + +Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` + +![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png) + +We suggest keeping track of the number of bytes currently written on the +dest buffer, this could be done by saving the original dest pointer, +decrementing dl on each substring memcpy, or using an auxiliary +variable. + +--- libwebsockets-4.3.5.orig/lib/system/async-dns/async-dns-parse.c ++++ libwebsockets-4.3.5/lib/system/async-dns/async-dns-parse.c +@@ -35,7 +35,7 @@ lws_adns_parse_label(const uint8_t *pkt, + const uint8_t *e = pkt + len, *ols = ls; + char pointer = 0, first = 1; + uint8_t ll; +- int n; ++ int n, readsize = 0; + + if (budget < 1) + return 0; +@@ -88,7 +88,7 @@ again1: + return -1; + } + +- if ((unsigned int)ll + 2 > dl) { ++ if ((unsigned int)(ll + 2 + readsize) > dl) { + lwsl_notice("%s: qname too large\n", __func__); + + return -1; +@@ -101,6 +101,7 @@ again1: + (*dest)[ll + 1] = '\0'; + *dest += ll + 1; + ls += ll; ++ readsize += ll + 1; + + if (pointer) { + if (*ls) diff -Nru libwebsockets-4.3.5/debian/patches/series libwebsockets-4.3.5/debian/patches/series --- libwebsockets-4.3.5/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libwebsockets-4.3.5/debian/patches/series 2025-11-03 23:02:18.000000000 +0000 @@ -0,0 +1,2 @@ +CVE-2025-11677.patch +CVE-2025-11678.patch