Openembedded Core Discussions
 help / color / mirror / Atom feed
From: hsimeliere.opensource@witekio.com
To: openembedded-core@lists.openembedded.org
Cc: "Hugo SIMELIERE (Schneider Electric)"
	<hsimeliere.opensource@witekio.com>,
	Bruno VERNAY <bruno.vernay@se.com>
Subject: [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014
Date: Wed, 20 May 2026 10:14:01 +0200	[thread overview]
Message-ID: <20260520081403.3052797-5-hsimeliere.opensource@witekio.com> (raw)
In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com>

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701
[2] https://security-tracker.debian.org/tracker/CVE-2026-42014

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-42014.patch        | 67 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
new file mode 100644
index 0000000000..ceaf05bf1e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
@@ -0,0 +1,67 @@
+From b48f025e58763f3975e5d65d698df27a5211bc51 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 18 Mar 2026 18:19:06 +0100
+Subject: [PATCH] pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
+
+Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
+oldpin == NULL for a token that lacks a protected authentication path
+led to a use-after-free.
+
+Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team
+Fixes: #1766
+Fixes: #1809
+Fixes: CVE-2026-42014
+Fixes: GNUTLS-SA-2026-04-29-9
+CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+
+CVE: CVE-2026-42014
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 3957f136e2ed23caf176a594b54b3827f5cef701)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/pkcs11_write.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index 961e1b9d8..9fe571ea2 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -1267,10 +1267,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 		ses_flags = SESSION_WRITE | SESSION_LOGIN;
+ 
+ 	ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags);
+-	p11_kit_uri_free(info);
+-
+ 	if (ret < 0) {
+ 		gnutls_assert();
++		p11_kit_uri_free(info);
+ 		return ret;
+ 	}
+ 
+@@ -1291,9 +1290,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 		oldpin_size = L(oldpin);
+ 
+ 		if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
+-			if (newpin == NULL)
+-				return gnutls_assert_val(
++			if (newpin == NULL) {
++				ret = gnutls_assert_val(
+ 					GNUTLS_E_INVALID_REQUEST);
++				goto finish;
++			}
+ 
+ 			if (oldpin == NULL) {
+ 				struct pin_info_st pin_info;
+@@ -1325,6 +1326,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 	ret = 0;
+ 
+ finish:
++	p11_kit_uri_free(info);
+ 	pkcs11_close_session(&sinfo);
+ 	return ret;
+ }
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 20946c1030..dc8e28c99b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-33845.patch \
            file://CVE-2026-3833.patch \
            file://CVE-2026-42015.patch \
+           file://CVE-2026-42014.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



  parent reply	other threads:[~2026-05-20  8:15 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
2026-05-20  8:14 ` hsimeliere.opensource [this message]
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10   ` Yoann Congal
2026-07-06 10:48     ` Yoann Congal
2026-06-05  8:45   ` Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520081403.3052797-5-hsimeliere.opensource@witekio.com \
    --to=hsimeliere.opensource@witekio.com \
    --cc=bruno.vernay@se.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox