[AutoPR- Security] Patch edk2 for CVE-2025-2295 [LOW] (#15442)

azurelinux-security · akhila-guruju · Kanishk-Bansal · web-flow · commit 48e633c1ae16 · 2026-01-23T17:46:23.000+05:30
Co-authored-by: akhila-guruju &lt;v-guakhila@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec b/SPECS-SIGNED/edk2-hvloader-signed/edk2-hvloader-signed.spec
@@ -11,7 +11,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           edk2-hvloader-signed-%{buildarch}
 Version:        %{GITDATE}git%{GITCOMMIT}
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -74,7 +74,10 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
-* Tue Dec 18 2025 Jyoti kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-11
+* Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-12
+- Bump release for consistency with edk2 spec.
+
+* Thu Dec 18 2025 Jyoti kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-11
 - Bump release for consistency with edk2 spec.
 
 * Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-10
diff --git a/SPECS/edk2/CVE-2025-2295.patch b/SPECS/edk2/CVE-2025-2295.patch
@@ -0,0 +1,54 @@
+From 4029abaa6248f603007642077ee067131bb1c050 Mon Sep 17 00:00:00 2001
+From: Madhavan <madavtechy@gmail.com>
+Date: Fri, 14 Mar 2025 14:15:13 -0400
+Subject: [PATCH] NetworkPkg/IScsiDxe:Fix for Remote Memory Exposure in ISCSI
+ bz4206
+
+Used SafeUint32Add to calculate and validate OutTransferLength with
+boundary check in IScsiOnR2TRcvd to avoid integer overflow
+
+Signed-off-by: Madhavan <madavtechy@gmail.com>
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/tianocore/edk2/commit/17cdc512f02a2dfd1b9e24133da56fdda099abda.patch
+---
+ NetworkPkg/IScsiDxe/IScsiProto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiProto.c
+index ef58764..fb48e63 100644
+--- a/NetworkPkg/IScsiDxe/IScsiProto.c
++++ b/NetworkPkg/IScsiDxe/IScsiProto.c
+@@ -1,7 +1,7 @@
+ /** @file
+   The implementation of iSCSI protocol based on RFC3720.
+ 
+-Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
++Copyright (c) 2004 - 2025, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+ 
+ **/
+@@ -2682,6 +2682,7 @@ IScsiOnR2TRcvd (
+   EFI_STATUS               Status;
+   ISCSI_XFER_CONTEXT       *XferContext;
+   UINT8                    *Data;
++  UINT32                   TransferLength;
+ 
+   R2THdr = (ISCSI_READY_TO_TRANSFER *)NetbufGetByte (Pdu, 0, NULL);
+   if (R2THdr == NULL) {
+@@ -2712,7 +2713,12 @@ IScsiOnR2TRcvd (
+   XferContext->Offset            = R2THdr->BufferOffset;
+   XferContext->DesiredLength     = R2THdr->DesiredDataTransferLength;
+ 
+-  if (((XferContext->Offset + XferContext->DesiredLength) > Packet->OutTransferLength) ||
++  Status = SafeUint32Add (XferContext->Offset, XferContext->DesiredLength, &TransferLength);
++  if (EFI_ERROR (Status)) {
++    return EFI_PROTOCOL_ERROR;
++  }
++
++  if ((TransferLength > Packet->OutTransferLength) ||
+       (XferContext->DesiredLength > Tcb->Conn->Session->MaxBurstLength)
+       )
+   {
+-- 
+2.45.4
+
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
@@ -55,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    11%{?dist}
+Release:    12%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        https://www.tianocore.org
@@ -141,6 +141,7 @@ Patch1004: CVE-2024-2511.patch
 Patch1005: CVE-2024-4603.patch
 Patch1006: CVE-2025-3770.patch
 Patch1007: CVE-2025-9230.patch
+Patch1008: CVE-2025-2295.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -802,7 +803,10 @@ done
 /boot/efi/HvLoader.efi
 
 %changelog
-* Tue Nov 19 2025 Jyoti kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-11
+* Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-12
+- Patch for CVE-2025-2295
+
+* Thu Dec 18 2025 Jyoti kanase <v-jykanase@microsoft.com> - 20240524git3e722403cd16-11
 - Patch for CVE-2025-2296
 
 * Fri Oct 03 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20240524git3e722403cd16-10
