{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"edk2 security update", "category":"general", "title":"Synopsis" }, { "text":"An update for edk2 is now available for openEuler-24.03-LTS", "category":"general", "title":"Summary" }, { "text":"EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications.\n\nSecurity Fix(es):\n\nIssue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.(CVE-2025-69419)", "category":"general", "title":"Description" }, { "text":"An update for edk2 is now available for openEuler-24.03-LTS.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"edk2", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-1664", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1664" }, { "summary":"CVE-2025-69419", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-69419&packageName=edk2" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69419" }, { "summary":"openEuler-SA-2026-1664 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-1664.json" } ], "title":"An update for edk2 is now available for openEuler-24.03-LTS", "tracking":{ "initial_release_date":"2026-03-20T22:25:44+08:00", "revision_history":[ { "date":"2026-03-20T22:25:44+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-03-20T22:25:44+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-03-20T22:25:44+08:00", "id":"openEuler-SA-2026-1664", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" } ], "category":"product_name" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-debuginfo-202308-31.oe2403.x86_64.rpm", "name":"edk2-debuginfo-202308-31.oe2403.x86_64.rpm" }, "name":"edk2-debuginfo-202308-31.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-debugsource-202308-31.oe2403.x86_64.rpm", "name":"edk2-debugsource-202308-31.oe2403.x86_64.rpm" }, "name":"edk2-debugsource-202308-31.oe2403.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-devel-202308-31.oe2403.x86_64.rpm", "name":"edk2-devel-202308-31.oe2403.x86_64.rpm" }, "name":"edk2-devel-202308-31.oe2403.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-202308-31.oe2403.src.rpm", "name":"edk2-202308-31.oe2403.src.rpm" }, "name":"edk2-202308-31.oe2403.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-aarch64-202308-31.oe2403.noarch.rpm", "name":"edk2-aarch64-202308-31.oe2403.noarch.rpm" }, "name":"edk2-aarch64-202308-31.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-help-202308-31.oe2403.noarch.rpm", "name":"edk2-help-202308-31.oe2403.noarch.rpm" }, "name":"edk2-help-202308-31.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-ovmf-202308-31.oe2403.noarch.rpm", "name":"edk2-ovmf-202308-31.oe2403.noarch.rpm" }, "name":"edk2-ovmf-202308-31.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-edk2-devel-202308-31.oe2403.noarch.rpm", "name":"python3-edk2-devel-202308-31.oe2403.noarch.rpm" }, "name":"python3-edk2-devel-202308-31.oe2403.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-debuginfo-202308-31.oe2403.aarch64.rpm", "name":"edk2-debuginfo-202308-31.oe2403.aarch64.rpm" }, "name":"edk2-debuginfo-202308-31.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-debugsource-202308-31.oe2403.aarch64.rpm", "name":"edk2-debugsource-202308-31.oe2403.aarch64.rpm" }, "name":"edk2-debugsource-202308-31.oe2403.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"edk2-devel-202308-31.oe2403.aarch64.rpm", "name":"edk2-devel-202308-31.oe2403.aarch64.rpm" }, "name":"edk2-devel-202308-31.oe2403.aarch64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-debuginfo-202308-31.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-debuginfo-202308-31.oe2403.x86_64", "name":"edk2-debuginfo-202308-31.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-debugsource-202308-31.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-debugsource-202308-31.oe2403.x86_64", "name":"edk2-debugsource-202308-31.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-devel-202308-31.oe2403.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-devel-202308-31.oe2403.x86_64", "name":"edk2-devel-202308-31.oe2403.x86_64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-202308-31.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-202308-31.oe2403.src", "name":"edk2-202308-31.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-aarch64-202308-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-aarch64-202308-31.oe2403.noarch", "name":"edk2-aarch64-202308-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-help-202308-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-help-202308-31.oe2403.noarch", "name":"edk2-help-202308-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-ovmf-202308-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-ovmf-202308-31.oe2403.noarch", "name":"edk2-ovmf-202308-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-edk2-devel-202308-31.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-edk2-devel-202308-31.oe2403.noarch", "name":"python3-edk2-devel-202308-31.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-debuginfo-202308-31.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-debuginfo-202308-31.oe2403.aarch64", "name":"edk2-debuginfo-202308-31.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-debugsource-202308-31.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-debugsource-202308-31.oe2403.aarch64", "name":"edk2-debugsource-202308-31.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"edk2-devel-202308-31.oe2403.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:edk2-devel-202308-31.oe2403.aarch64", "name":"edk2-devel-202308-31.oe2403.aarch64 as a component of openEuler-24.03-LTS" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2025-69419", "notes":[ { "text":"Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously\ncrafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing\nnon-ASCII BMP code point can trigger a one byte write before the allocated\nbuffer.\n\nImpact summary: The out-of-bounds write can cause a memory corruption\nwhich can have various consequences including a Denial of Service.\n\nThe OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12\nBMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,\nthe helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16\nsource byte count as the destination buffer capacity to UTF8_putc(). For BMP\ncode points above U+07FF, UTF-8 requires three bytes, but the forwarded\ncapacity can be just two bytes. UTF8_putc() then returns -1, and this negative\nvalue is added to the output length without validation, causing the\nlength to become negative. The subsequent trailing NUL byte is then written\nat a negative offset, causing write outside of heap allocated buffer.\n\nThe vulnerability is reachable via the public PKCS12_get_friendlyname() API\nwhen parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a\ndifferent code path that avoids this issue, PKCS12_get_friendlyname() directly\ninvokes the vulnerable function. Exploitation requires an attacker to provide\na malicious PKCS#12 file to be parsed by the application and the attacker\ncan just trigger a one zero byte write before the allocated buffer.\nFor that reason the issue was assessed as Low severity according to our\nSecurity Policy.\n\nThe FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,\nas the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.\n\nOpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.\n\nOpenSSL 1.0.2 is not affected by this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:edk2-debuginfo-202308-31.oe2403.x86_64", "openEuler-24.03-LTS:edk2-debugsource-202308-31.oe2403.x86_64", "openEuler-24.03-LTS:edk2-devel-202308-31.oe2403.x86_64", "openEuler-24.03-LTS:edk2-202308-31.oe2403.src", "openEuler-24.03-LTS:edk2-aarch64-202308-31.oe2403.noarch", "openEuler-24.03-LTS:edk2-help-202308-31.oe2403.noarch", "openEuler-24.03-LTS:edk2-ovmf-202308-31.oe2403.noarch", "openEuler-24.03-LTS:python3-edk2-devel-202308-31.oe2403.noarch", "openEuler-24.03-LTS:edk2-debuginfo-202308-31.oe2403.aarch64", "openEuler-24.03-LTS:edk2-debugsource-202308-31.oe2403.aarch64", "openEuler-24.03-LTS:edk2-devel-202308-31.oe2403.aarch64" ] }, "remediations":[ { "product_ids":{"$ref":"$.vulnerabilities[0].product_status.fixed"}, "details":"edk2 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1664" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.4, "vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version":"3.1" }, "products":{"$ref":"$.vulnerabilities[0].product_status.fixed"} } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2025-69419" } ] }