[AutoPR- Security] Patch edk2 for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420 [HIGH] (#15763)

Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/edk2/CVE-2025-69419.patch

@@ -0,0 +1,49 @@
+From 56d62202357855589885daaa4deb5b97c635a250 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 09:14:39 +0000
+Subject: [PATCH] Check return code of UTF8_putc in a_strex.c and p12_utl.c;
+ handle failures gracefully (backport)
+
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296.patch
+---
+ CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c  | 6 ++++--
+ .../Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c      | 5 +++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
+index 4879b33..b852e06 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/asn1/a_strex.c
+@@ -203,8 +203,10 @@ static int do_buf(unsigned char *buf, int buflen,
+             orflags = CHARTYPE_LAST_ESC_2253;
+         if (type & BUF_TYPE_CONVUTF8) {
+             unsigned char utfbuf[6];
+-            int utflen;
+-            utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++            int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++
++            if (utflen < 0)
++                return -1; /* error happened with UTF8 */
+             for (i = 0; i < utflen; i++) {
+                 /*
+                  * We don't need to worry about setting orflags correctly
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
+index 43b9e3a..4998fcc 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_utl.c
+@@ -207,6 +207,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
+     /* re-run the loop emitting UTF-8 string */
+     for (asclen = 0, i = 0; i < unilen; ) {
+         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
++        /* when UTF8_putc fails */
++        if (j < 0) {
++            OPENSSL_free(asctmp);
++            return NULL;
++        }
+         if (j == 4) i += 4;
+         else        i += 2;
+         asclen += j;
+-- 
+2.45.4
+

SPECS/edk2/CVE-2025-69420.patch

@@ -0,0 +1,37 @@
+From 3268f491a18d4567460ebc7e284ce2da9778bf18 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 09:13:29 +0000
+Subject: [PATCH] Verify ASN1 object's types before accessing sequence in
+ ess_get_signing_cert/v2 to avoid invalid type access.
+
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/ea8fc4c345fbd749048809c9f7c881ea656b0b94.patch
+---
+ .../Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c      | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
+index c2e7abd..156958c 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/ts/ts_rsp_verify.c
+@@ -262,7 +262,7 @@ static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
+     ASN1_TYPE *attr;
+     const unsigned char *p;
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+-    if (!attr)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+@@ -274,7 +274,7 @@ static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si)
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+-- 
+2.45.4
+

SPECS/edk2/CVE-2025-69421.patch

@@ -0,0 +1,36 @@
+From 3a1e9f9341230d304e7ce341c651188bd6af93f8 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 9 Feb 2026 09:13:55 +0000
+Subject: [PATCH] PKCS12_item_decrypt_d2i_ex(): Check oct argument for NULL
+
+Fixes CVE-2025-69421
+
+(cherry picked from commit 2c13bf15286328641a805eb3b7c97e27d42881fb)
+
+Backport: This tree lacks PKCS12_item_decrypt_d2i_ex and ERR_raise, so we add the NULL check in PKCS12_item_decrypt_d2i and report ERR_R_PASSED_NULL_PARAMETER via PKCS12err.
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: AI Backport of https://github.com/openssl/openssl/commit/2c13bf15286328641a805eb3b7c97e27d42881fb.patch
+---
+ .../Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c     | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
+index 3c86058..bb9491c 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_decr.c
+@@ -88,6 +88,12 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen;
+ 
++
++    if (oct == NULL) {
++        PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I, ERR_R_PASSED_NULL_PARAMETER);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
+                           &out, &outlen, 0)) {
+         PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
+-- 
+2.45.4
+

SPECS/edk2/CVE-2026-22795.patch

@@ -0,0 +1,77 @@
+From 1bef0f0a772f6b8229d1bcc85187a076394aa468 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Ensure ASN1 types are checked before use.
+
+Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
+this fix includes the other fixes in that commit, as well as fixes for others found by a scan
+for a similar unvalidated access paradigm in the tree.
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/29582)
+
+Signed-off-by: rpm-build <rpm-build>
+Upstream-reference: https://github.com/openssl/openssl/commit/572844beca95068394c916626a6d3a490f831a49.patch
+---
+ CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c   |  3 ++-
+ .../OpensslLib/openssl/crypto/pkcs12/p12_kiss.c        | 10 ++++++++--
+ .../Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c |  2 ++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+index 83b3fc9..99f7eb0 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/apps/s_client.c
+@@ -2688,8 +2688,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++        if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++            ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+index 7ab9838..d90404d 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs12/p12_kiss.c
+@@ -183,11 +183,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+ 
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+index f63fbc5..4e0eb1e 100644
+--- a/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
++++ b/CryptoPkg/Library/OpensslLib/openssl/crypto/pkcs7/pk7_doit.c
+@@ -1092,6 +1092,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+ 
+-- 
+2.45.4
+

SPECS/edk2/edk2.spec

@@ -45,7 +45,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    45%{?dist}
+Release:    46%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    BSD-2-Clause-Patent and OpenSSL and MIT
 URL:        http://www.tianocore.org
@@ -135,6 +135,10 @@ Patch1005: vendored-openssl-1.1.1-Only-free-the-read-buffers-if-we-re-not-using-
 Patch1006: CVE-2022-4304.patch
 Patch1007: CVE-2025-3770.patch
 Patch1008: CVE-2025-2295.patch
+Patch1009: CVE-2025-69419.patch
+Patch1010: CVE-2025-69420.patch
+Patch1011: CVE-2025-69421.patch
+Patch1012: CVE-2026-22795.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -718,6 +722,9 @@ $tests_ok
 
 
 %changelog
+* Mon Feb 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-46
+- Patch for CVE-2026-22795, CVE-2025-69421, CVE-2025-69419, CVE-2025-69420
+
 * Tue Jan 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20230301gitf80f052277c8-45
 - Patch for CVE-2025-2295