[AUTO-CHERRYPICK] [AutoPR- Security] Patch hvloader for CVE-2026-22795, CVE-2025-69421, CVE-2025-69420, CVE-2025-69419 [HIGH] - branch main (#15829)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 5 people

SPECS-SIGNED/hvloader-signed/hvloader-signed.spec

@@ -6,7 +6,7 @@
 Summary:        Signed HvLoader.efi for %{buildarch} systems
 Name:           hvloader-signed-%{buildarch}
 Version:        1.0.1
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -69,7 +69,10 @@ popd
 /boot/efi/HvLoader.efi
 
 %changelog
-* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-17
+* Sun Feb 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-18
+- Bump release for consistency with hvloader spec.
+
+* Mon Feb 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-17
 - Bump release for consistency with hvloader spec.
 
 * Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-16
@@ -78,6 +81,9 @@ popd
 * Thu Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
 - Bump release for consistency with hvloader spec.
 
+* Thu Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
+- Bump release for consistency with hvloader spec.
+
 * Tue Aug 12 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-14
 - Bump release for consistency with hvloader spec.
 

SPECS/hvloader/CVE-2025-69419.patch

@@ -0,0 +1,56 @@
+From 7c55e722e1ee27020d9e52df9a194c2e3a5ab4de Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 11:04:29 +0000
+Subject: [PATCH] Check return code of UTF8_putc: handle failure in ASN.1
+ string conversion and PKCS12 UTF-8 emission per upstream patch. Preserves
+ comments from patch.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296.patch
+---
+ .../Library/OpensslLib/openssl/crypto/asn1/a_strex.c  |  6 ++++--
+ .../OpensslLib/openssl/crypto/pkcs12/p12_utl.c        | 11 +++++++++--
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
+index 284dde27..843b0f94 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
+@@ -203,8 +203,10 @@ static int do_buf(unsigned char *buf, int buflen,
+             orflags = CHARTYPE_LAST_ESC_2253;
+         if (type & BUF_TYPE_CONVUTF8) {
+             unsigned char utfbuf[6];
+-            int utflen;
+-            utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++            int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++
++            if (utflen < 0)
++                return -1; /* error happened with UTF8 */
+             for (i = 0; i < utflen; i++) {
+                 /*
+                  * We don't need to worry about setting orflags correctly
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
+index 43b9e3a5..1c6b59d5 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
+@@ -207,8 +207,15 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
+     /* re-run the loop emitting UTF-8 string */
+     for (asclen = 0, i = 0; i < unilen; ) {
+         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
+-        if (j == 4) i += 4;
+-        else        i += 2;
++        /* when UTF8_putc fails */
++        if (j < 0) {
++            OPENSSL_free(asctmp);
++            return NULL;
++        }
++        if (j == 4)
++            i += 4;
++        else
++            i += 2;
+         asclen += j;
+     }
+ 
+-- 
+2.45.4
+

SPECS/hvloader/CVE-2025-69420.patch

@@ -0,0 +1,50 @@
+From dbb834e047a19711836cb61561d9273e89f320fa Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 11:04:59 +0000
+Subject: [PATCH] Verify ASN1 object's types before attempting to access them
+ as a particular type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Issue was reported in ossl_ess_get_signing_cert but is also present in ossl_ess_get_signing_cert_v2.
+
+Fixes: https://github.com/openssl/srt/issues/61
+Fixes CVE-2025-69420
+
+Reviewed-by: Norbert Pocs <norbertp@openssl.org>
+Reviewed-by: Saša Nedvědický <sashan@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+MergeDate: Mon Jan 26 19:53:36 2026
+(cherry picked from commit ea8fc4c345fbd749048809c9f7c881ea656b0b94)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/ea8fc4c345fbd749048809c9f7c881ea656b0b94.patch
+---
+ .../Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c      | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
+index 7fe3d27e..5d452d26 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
+@@ -262,7 +262,7 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
+     ASN1_TYPE *attr;
+     const unsigned char *p;
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+-    if (!attr)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+@@ -274,7 +274,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si)
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+-- 
+2.45.4
+

SPECS/hvloader/CVE-2025-69421.patch

@@ -0,0 +1,37 @@
+From d69f898077165b522ae19bf1a24b10c7a5367835 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 11:05:00 +0000
+Subject: [PATCH] PKCS12_item_decrypt_d2i(): Check oct argument for NULL
+
+Backport of upstream fix to validate ASN1_OCTET_STRING argument before use.
+Prevents NULL dereference when oct is NULL.
+
+Inspired by upstream patch for PKCS12_item_decrypt_d2i_ex().
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/2c13bf15286328641a805eb3b7c97e27d42881fb.patch
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c    | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
+index 3c860584..85835734 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
+@@ -88,6 +88,13 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+ 
++
++    /* Check oct for NULL to avoid dereferencing a NULL pointer */
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, ERR_R_PASSED_NULL_PARAMETER);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                           &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
+-- 
+2.45.4
+

SPECS/hvloader/CVE-2026-22796.patch SPECS/hvloader/CVE-2026-22795.patchSPECS/hvloader/CVE-2026-22796.patch renamed to SPECS/hvloader/CVE-2026-22795.patch

@@ -1,4 +1,4 @@
-From 73b2e98599a813f617b20d5860e2587b385b4aff Mon Sep 17 00:00:00 2001
+From 1cbd2e0aef0cc6f6b6300408835cd6a3078c1ac4 Mon Sep 17 00:00:00 2001
 From: Bob Beck <beck@openssl.org>
 Date: Wed, 7 Jan 2026 11:29:48 -0700
 Subject: [PATCH] Ensure ASN1 types are checked before use.

SPECS/hvloader/CVE-2026-22796.nopatch

@@ -4,7 +4,7 @@
 Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
 Name:           hvloader
 Version:        1.0.1
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -37,9 +37,14 @@ Patch19:        CVE-2024-38796.patch
 Patch20:        CVE-2025-3770.patch
 Patch21:        CVE-2025-2296.patch
 Patch22:        CVE-2025-2295.patch
-Patch23:        CVE-2025-68160.patch
-Patch24:        CVE-2025-69418.patch
-Patch25:        CVE-2026-22796.patch
+Patch23:        CVE-2025-69419.patch
+Patch24:        CVE-2025-69420.patch
+Patch25:        CVE-2025-69421.patch
+Patch26:        CVE-2026-22795.patch
+Patch27:        CVE-2025-68160.patch
+Patch28:        CVE-2025-69418.patch
+Patch29:        CVE-2026-22796.nopatch
+
 
 BuildRequires:  bc
 BuildRequires:  gcc
@@ -85,13 +90,17 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
 /boot/efi/HvLoader.efi
 
 %changelog
-* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-17
-- Patch for CVE-2026-22796, CVE-2025-68160, CVE-2025-69418
+* Sun Feb 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-18
+- Patch for CVE-2025-68160, CVE-2025-69418
+- Add nopatch for CVE-2026-22796(CVE-2026-22795 already has the fix)
+
+* Mon Feb 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-17
+- Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69420, CVE-2025-69419
 
 * Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-16
 - Patch for CVE-2025-2295
 
-* Wed Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
+* Thu Nov 20 2025 Jyoti kanase <v-jykanase@microsoft.com> - 1.0.1-15
 - Patch for CVE-2025-2296
 
 * Tue Aug 12 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.0.1-14