From: "Yoann Congal" <yoann.congal@smile.fr>
To: <vanusuri@mvista.com>, <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][scarthgap][patch] gnutls: Fix CVE-2025-14831
Date: Mon, 30 Mar 2026 00:08:27 +0200 [thread overview]
Message-ID: <DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr> (raw)
In-Reply-To: <20260217081454.864791-1-vanusuri@mvista.com>
On Tue Feb 17, 2026 at 9:14 AM CET, Vijay Anusuri via lists.openembedded.org wrote:
> Picked commits which mentions this CVE per [1].
>
> [1] https://ubuntu.com/security/CVE-2025-14831
> [2] https://security-tracker.debian.org/tracker/CVE-2025-14831
> [3] https://gitlab.com/gnutls/gnutls/-/issues/1773
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../gnutls/gnutls/CVE-2025-14831-1.patch | 61 +++
> .../gnutls/gnutls/CVE-2025-14831-2.patch | 30 ++
> .../gnutls/gnutls/CVE-2025-14831-3.patch | 45 ++
> .../gnutls/gnutls/CVE-2025-14831-4.patch | 200 +++++++
> .../gnutls/gnutls/CVE-2025-14831-5.patch | 500 ++++++++++++++++++
> .../gnutls/gnutls/CVE-2025-14831-6.patch | 119 +++++
> .../gnutls/gnutls/CVE-2025-14831-7.patch | 150 ++++++
> .../gnutls/gnutls/CVE-2025-14831-8.patch | 105 ++++
> .../gnutls/gnutls/CVE-2025-14831-9.patch | 437 +++++++++++++++
> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 9 +
> 10 files changed, 1656 insertions(+)
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
>
> [...]
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> new file mode 100644
> index 0000000000..27ed995d8d
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> @@ -0,0 +1,437 @@
> +Backport of:
> +
> +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Wed, 4 Feb 2026 20:03:49 +0100
> +Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect
> + over sorted
> +
> +Fixes: #1773
> +Fixes: GNUTLS-SA-2026-02-09-2
> +Fixes: CVE-2025-14831
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + NEWS | 7 +
> + lib/x509/name_constraints.c | 350 ++++++++++++++----------------------
> + 2 files changed, 142 insertions(+), 215 deletions(-)
> +
> +#diff --git a/NEWS b/NEWS
> +#index e506db547a..96b7484fdf 100644
> +#--- a/NEWS
> +#+++ b/NEWS
> +#@@ -14,6 +14,13 @@ See the end for copying conditions.
> +# Reported by Jaehun Lee.
> +# [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
> +#
> +#+** libgnutls: Fix name constraint processing performance issue
> +#+ Verifying certificates with pathological amounts of name constraints
> +#+ could lead to a denial of service attack via resource exhaustion.
> +#+ Reworked processing algorithms exhibit better performance characteristics.
> +#+ Reported by Tim Scheckenbach.
> +#+ [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
> +#+
> +# ** libgnutls: Fix multiple unexploitable overflows
> +# Reported by Tim Rühsen (#1783, #1786).
> +#
Hello,
When I reviewed this patch for whinlatter, I asked for this commented
hunk to be removed. Can you also remove it here as well?
Generally, since you often send patches for multiple stable branches in
parallel, when you get a review for one branch that applies for your
others patches, please fix those as well.
Thanks!
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-29 22:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 8:14 [OE-core][scarthgap][patch] gnutls: Fix CVE-2025-14831 Vijay Anusuri
2026-02-17 9:04 ` Yoann Congal
2026-02-24 4:25 ` Vijay Anusuri
2026-02-24 11:04 ` Yoann Congal
2026-03-27 16:03 ` Marko, Peter
2026-03-27 16:50 ` Yoann Congal
2026-03-29 22:08 ` Yoann Congal [this message]
2026-03-30 5:59 ` Vijay Anusuri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr \
--to=yoann.congal@smile.fr \
--cc=openembedded-core@lists.openembedded.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox