Debian Patches

Status for libwebsockets/4.3.5-1+deb13u1

Patch	Description	Author	Forwarded	Bugs	Origin	Last update
CVE-2025-11677.patch	NN-2025-0102: UAF depending on upgrade allowed This document contains sensitive information collected during our security research activities related with the Libwebsockets library maintained by Andy Green (warmcat). +-------------------------------------------------------------------------------------------------------+ \| Report information \| +:===================================:+:===============================================================:+ \| Vendor \| warmcat \| +-------------------------------------+-----------------------------------------------------------------+ \| Vendor URL \| https://libwebsockets.org/git/libwebsockets \| +-------------------------------------+-----------------------------------------------------------------+ \| Affected component \| libwebsockets \| +-------------------------------------+-----------------------------------------------------------------+ \| Affected version \| 4.4 \| +-------------------------------------+-----------------------------------------------------------------+ \| Vulnerability \| CWE-416: Use After Free \| +-------------------------------------+-----------------------------------------------------------------+ \| Proposed CVSS v3.1 Base Score \| 6.0 \| +-------------------------------------+-----------------------------------------------------------------+ \| Proposed CVSS v3.1 Vector \| CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N \| +-------------------------------------+-----------------------------------------------------------------+ +-----------------------------------------------------------------------------+ \| Security Researcher(s) \| +:===================================:+:=====================================:+ \| Name \| Email address \| +-------------------------------------+---------------------------------------+ \| Raffaele Bova \| labs-advisory@nozominetworks.com \| +-------------------------------------+---------------------------------------+ Libwebsockes is a C library that provides client and server implementation for various protocols (e.g., HTTP, websockets, MQTT) and more. Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest software version of libwebsockets, specifically in the WebSocket server implementation. Depending on the use of the API, the vulnerability may allow an attacker to read or write data, that could cause a loss of integrity or availability. The issue is caused by the `lws_handshake_protocol` function, specifically when the upgrade header is not valid, the function calls `lws_http_transaction_completed`, which frees some of the data in the wsi structure, then it calls `user_callback_handle_rxflow` passing the up pointer and uses it on following strcasecmp calls. From our understanding, for this vulnerability to have a meaningful impact, a user that implements the Websocket server, must provide a user callback function which is going to handle `LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing operations on the up pointer. It is possible to compile the minimal websocket server using address sanitizer, to quickly verify the use after free. From our understanding of the code, if the upgrade header does not match the intended contents, then the code after the if statement when `lws_http_transaction_completed` is called, should not be executed, thus simply enclosing all that code in the else branch solves the issue.	Nozomi Network Labs <labs-advisory@nozominetworks.com>	no			2025-09-24
CVE-2025-11678.patch	NN-2025-0103: ADNS crafted response overflow This document contains sensitive information collected during our security research activities related with the Libwebsockets library made by Andy Green (warmcat). +-------------------------------------------------------------------------------------------------------+ \| Report information \| +:===================================:+:===============================================================:+ \| Vendor \| warmcat \| +-------------------------------------+-----------------------------------------------------------------+ \| Vendor URL \| https://libwebsockets.org/git/libwebsockets \| +-------------------------------------+-----------------------------------------------------------------+ \| Affected component \| Ecostruxure Automation Expert \| +-------------------------------------+-----------------------------------------------------------------+ \| Affected version \| 4.4 \| +-------------------------------------+-----------------------------------------------------------------+ \| Vulnerability \| CWE-121: Stack-based Buffer Overflow \| +-------------------------------------+-----------------------------------------------------------------+ \| Proposed CVSS v3.1 Base Score \| 7.5 \| +-------------------------------------+-----------------------------------------------------------------+ \| Proposed CVSS v3.1 Vector \| CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N \| +-------------------------------------+-----------------------------------------------------------------+ +-----------------------------------------------------------------------------+ \| Security Researcher(s) \| +:===================================:+:=====================================:+ \| Name \| Email address \| +-------------------------------------+---------------------------------------+ \| Raffaele Bova \| labs-advisory@nozominetworks.com \| +-------------------------------------+---------------------------------------+ \ Libwebsockes is a C library that provides client and server implementation for various protocols (e.g., HTTP, websockets, MQTT) and more. Nozomi Networks Lab discovered a "CWE-121: Stack-based Buffer Overflow" in the latest software version of libwebsockets, specifically in the async-dns component. The vulnerability allows an attacker that can inspect DNS requests made by the victim (e.g. being in the same wireless network) to forge a DNS response packet that overflows the stack and may lead to arbitrary code execution (depending on the platform and compiler options). The issue resides in `lws_adns_parse_label` function in `lib/system/async-dns/async-dns-parse.c`; this function iteratively parses a label however it does not correctly check the number of bytes written in the destination buffer. Specifically, the size of the dest output buffer is specified in the `dl` argument, however during the read of each substring of the label only the length of the current substring of the label is accounted for not overflowing the destination buffer, but previous reads are not accounted for. This means that a label of arbitrary size and content can be supplied and is copied onto the stack, however it must be split into substrings of size less than `dl`. To trigger the vulnerability an attacker must be able to sniff the DNS request packet to send a response with a matching identifier, otherwise the implantation correctly ignores the response. We have provided a harness for testing, for ease of use copy the harness in a subdirectory, for example in minimal-examples-lowlevel/api-tests/, and build it ``` cmake -B build -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SSL=0 -DCMAKE_C_FLAGS="-fsanitize=address" . && make -C build lws-test-async-dns ``` Then it can be run `./build/bin/lws-test-async-dns < poc_stackbof` ![Address sanitizer report of stack buffer overflow](./NN-2025-0103_image.png) We suggest keeping track of the number of bytes currently written on the dest buffer, this could be done by saving the original dest pointer, decrementing dl on each substring memcpy, or using an auxiliary variable.	Nozomi Network Labs <labs-advisory@nozominetworks.com>	no			2025-09-24

All known versions for source package 'libwebsockets'

4.3.5-3 (forky, sid)
4.3.5-1+deb13u1 (trixie-proposed-updates)
4.3.5-1 (trixie)
4.1.6-3 (bookworm)

Links