From: hsimeliere.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
Cc: "Hugo SIMELIERE (Schneider Electric)"
<hsimeliere.opensource@witekio.com>,
Bruno VERNAY <bruno.vernay@se.com>
Subject: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
Date: Wed, 20 May 2026 10:13:57 +0200 [thread overview]
Message-ID: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> (raw)
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
Pick pre-patch [3] to minimize conflicts.
[1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
[2] https://security-tracker.debian.org/tracker/CVE-2026-33846
[3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++
.../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
3 files changed, 166 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
new file mode 100644
index 0000000000..71266cb338
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
@@ -0,0 +1,97 @@
+From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 17:49:31 +0200
+Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
+
+I had vague concerns about thread-safety of this,
+but then this pattern already exists within the file.
+
+CVE: CVE-2026-33846
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 52 +++++++++++++++++----------------------------------
+ 1 file changed, 17 insertions(+), 35 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 672380b05..d54c77022 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
+ int exists = 0, i, pos = 0;
+ int ret;
+
++ handshake_buffer_st *recv_buf =
++ session->internals.handshake_recv_buffer;
++
+ for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
+- if (session->internals.handshake_recv_buffer[i].htype ==
+- hsk->htype) {
++ if (recv_buf[i].htype == hsk->htype) {
+ exists = 1;
+ pos = i;
+ break;
+@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
+ _gnutls_write_uint24(0, &hsk->header[6]);
+ _gnutls_write_uint24(hsk->length, &hsk->header[9]);
+
+- _gnutls_handshake_buffer_move(
+- &session->internals.handshake_recv_buffer[pos], hsk);
++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+
+ } else {
+- if (hsk->start_offset <
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset &&
+- hsk->end_offset + 1 >=
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset) {
+- memcpy(&session->internals.handshake_recv_buffer[pos]
+- .data.data[hsk->start_offset],
++ if (hsk->start_offset < recv_buf[pos].start_offset &&
++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset = hsk->start_offset;
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset = MIN(
+- hsk->end_offset,
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset);
+- } else if (hsk->end_offset >
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset &&
+- hsk->start_offset <=
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset +
+- 1) {
+- memcpy(&session->internals.handshake_recv_buffer[pos]
+- .data.data[hsk->start_offset],
++ recv_buf[pos].start_offset = hsk->start_offset;
++ recv_buf[pos].end_offset =
++ MIN(hsk->end_offset, recv_buf[pos].end_offset);
++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
++ hsk->start_offset <= recv_buf[pos].end_offset + 1) {
++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset = hsk->end_offset;
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset = MIN(
+- hsk->start_offset,
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset);
++ recv_buf[pos].end_offset = hsk->end_offset;
++ recv_buf[pos].start_offset = MIN(
++ hsk->start_offset, recv_buf[pos].start_offset);
+ }
+ _gnutls_handshake_buffer_clear(hsk);
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
new file mode 100644
index 0000000000..e7d5cc6c2b
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
@@ -0,0 +1,67 @@
+From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 18:21:36 +0200
+Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
+
+Previously, gnutls didn't check that DTLS fragments claimed
+a consistent message_length value.
+Additionally, a crucial array size check was missing,
+enabling an attacker to cause a heap overwrite.
+The updated version rejects fragments with mismatching length
+and adds a missing boundary check.
+
+Reported-by: Haruto Kimura (Stella)
+Reported-by: Oscar Reparaz
+Reported-by: Zou Dikai
+Fixes: #1816
+Fixes: #1838
+Fixes: #1839
+Fixes: CVE-2026-33846
+Fixes: GNUTLS-SA-2026-04-29-1
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-33846
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index d54c77022..5d4d16276 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
+ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+
+ } else {
++ if (hsk->length != recv_buf[pos].length) {
++ /* inconsistent across fragments */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++ /* start_offset + data.length <= hsk->length <= max_length */
++ if (hsk->length < hsk->start_offset + hsk->data.length) {
++ /* impossible claims, overflow requested */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++ if (hsk->length > recv_buf[pos].data.max_length) {
++ /* we don't have this much allocated, overflow guard */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++
+ if (hsk->start_offset < recv_buf[pos].start_offset &&
+ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
+ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index ccb6a2b4b2..e40a654a8e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2025-14831-7.patch \
file://CVE-2025-14831-8.patch \
file://CVE-2025-14831-9.patch \
+ file://CVE-2026-33846-pre.patch \
+ file://CVE-2026-33846.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
next reply other threads:[~2026-05-20 8:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 8:13 hsimeliere.opensource [this message]
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10 ` Yoann Congal
2026-07-06 10:48 ` Yoann Congal
2026-06-05 8:45 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520081403.3052797-1-hsimeliere.opensource@witekio.com \
--to=hsimeliere.opensource@witekio.com \
--cc=bruno.vernay@se.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox