Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: "Yoann Congal" <yoann.congal@smile.fr>,
	<hsimeliere.opensource@witekio.com>,
	<openembedded-core@lists.openembedded.org>
Cc: "Bruno VERNAY" <bruno.vernay@se.com>
Subject: Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
Date: Thu, 04 Jun 2026 22:10:06 +0200	[thread overview]
Message-ID: <DJ0JDC0E8QIM.2PLQBKV0K6TIN@smile.fr> (raw)
In-Reply-To: <DJ0529SO7U38.2KY8QAKJ8TRSU@smile.fr>

On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>
>> Pick patch from [1] as mentioned in Debian report in [2].
>> Pick pre-patch [3] to minimize conflicts.
>>
>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78

Hello (again),

This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
So, this patch (as well as at least 2/7, I have not checked the others) must
be sent to wrynose before I can accept them on scarthgap. Can you do
that and ping back here when it's done?

Thanks!

>> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
>> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>>
>> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
>> ---
>>  .../gnutls/gnutls/CVE-2026-33846-pre.patch    | 97 +++++++++++++++++++
>>  .../gnutls/gnutls/CVE-2026-33846.patch        | 67 +++++++++++++
>>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
>>  3 files changed, 166 insertions(+)
>>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>>
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> new file mode 100644
>> index 0000000000..71266cb338
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> @@ -0,0 +1,97 @@
>> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 17:49:31 +0200
>> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>
> Regards,
>
>> +
>> +I had vague concerns about thread-safety of this,
>> +but then this pattern already exists within the file.
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
>> + 1 file changed, 17 insertions(+), 35 deletions(-)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index 672380b05..d54c77022 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 	int exists = 0, i, pos = 0;
>> + 	int ret;
>> + 
>> ++	handshake_buffer_st *recv_buf =
>> ++		session->internals.handshake_recv_buffer;
>> ++
>> + 	for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
>> +-		if (session->internals.handshake_recv_buffer[i].htype ==
>> +-		    hsk->htype) {
>> ++		if (recv_buf[i].htype == hsk->htype) {
>> + 			exists = 1;
>> + 			pos = i;
>> + 			break;
>> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 		_gnutls_write_uint24(0, &hsk->header[6]);
>> + 		_gnutls_write_uint24(hsk->length, &hsk->header[9]);
>> + 
>> +-		_gnutls_handshake_buffer_move(
>> +-			&session->internals.handshake_recv_buffer[pos], hsk);
>> ++		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> + 
>> + 	} else {
>> +-		if (hsk->start_offset <
>> +-			    session->internals.handshake_recv_buffer[pos]
>> +-				    .start_offset &&
>> +-		    hsk->end_offset + 1 >=
>> +-			    session->internals.handshake_recv_buffer[pos]
>> +-				    .start_offset) {
>> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
>> +-					.data.data[hsk->start_offset],
>> ++		if (hsk->start_offset < recv_buf[pos].start_offset &&
>> ++		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + 			       hsk->data.data, hsk->data.length);
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.start_offset = hsk->start_offset;
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.end_offset = MIN(
>> +-				hsk->end_offset,
>> +-				session->internals.handshake_recv_buffer[pos]
>> +-					.end_offset);
>> +-		} else if (hsk->end_offset >
>> +-				   session->internals.handshake_recv_buffer[pos]
>> +-					   .end_offset &&
>> +-			   hsk->start_offset <=
>> +-				   session->internals.handshake_recv_buffer[pos]
>> +-						   .end_offset +
>> +-					   1) {
>> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
>> +-					.data.data[hsk->start_offset],
>> ++			recv_buf[pos].start_offset = hsk->start_offset;
>> ++			recv_buf[pos].end_offset =
>> ++				MIN(hsk->end_offset, recv_buf[pos].end_offset);
>> ++		} else if (hsk->end_offset > recv_buf[pos].end_offset &&
>> ++			   hsk->start_offset <= recv_buf[pos].end_offset + 1) {
>> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + 			       hsk->data.data, hsk->data.length);
>> + 
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.end_offset = hsk->end_offset;
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.start_offset = MIN(
>> +-				hsk->start_offset,
>> +-				session->internals.handshake_recv_buffer[pos]
>> +-					.start_offset);
>> ++			recv_buf[pos].end_offset = hsk->end_offset;
>> ++			recv_buf[pos].start_offset = MIN(
>> ++				hsk->start_offset, recv_buf[pos].start_offset);
>> + 		}
>> + 		_gnutls_handshake_buffer_clear(hsk);
>> + 	}
>> +-- 
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> new file mode 100644
>> index 0000000000..e7d5cc6c2b
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> @@ -0,0 +1,67 @@
>> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 18:21:36 +0200
>> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
>> +
>> +Previously, gnutls didn't check that DTLS fragments claimed
>> +a consistent message_length value.
>> +Additionally, a crucial array size check was missing,
>> +enabling an attacker to cause a heap overwrite.
>> +The updated version rejects fragments with mismatching length
>> +and adds a missing boundary check.
>> +
>> +Reported-by: Haruto Kimura (Stella)
>> +Reported-by: Oscar Reparaz
>> +Reported-by: Zou Dikai
>> +Fixes: #1816
>> +Fixes: #1838
>> +Fixes: #1839
>> +Fixes: CVE-2026-33846
>> +Fixes: GNUTLS-SA-2026-04-29-1
>> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
>> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 20 ++++++++++++++++++++
>> + 1 file changed, 20 insertions(+)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index d54c77022..5d4d16276 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> + 
>> + 	} else {
>> ++		if (hsk->length != recv_buf[pos].length) {
>> ++			/* inconsistent across fragments */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++		/* start_offset + data.length <= hsk->length <= max_length */
>> ++		if (hsk->length < hsk->start_offset + hsk->data.length) {
>> ++			/* impossible claims, overflow requested */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++		if (hsk->length > recv_buf[pos].data.max_length) {
>> ++			/* we don't have this much allocated, overflow guard */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++
>> + 		if (hsk->start_offset < recv_buf[pos].start_offset &&
>> + 		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> + 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> +-- 
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> index ccb6a2b4b2..e40a654a8e 100644
>> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>>             file://CVE-2025-14831-7.patch \
>>             file://CVE-2025-14831-8.patch \
>>             file://CVE-2025-14831-9.patch \
>> +           file://CVE-2026-33846-pre.patch \
>> +           file://CVE-2026-33846.patch \
>>             "
>>  
>>  SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"


-- 
Yoann Congal
Smile ECS



  reply	other threads:[~2026-06-04 20:10 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10   ` Yoann Congal [this message]
2026-07-06 10:48     ` Yoann Congal
2026-06-05  8:45   ` Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJ0JDC0E8QIM.2PLQBKV0K6TIN@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=bruno.vernay@se.com \
    --cc=hsimeliere.opensource@witekio.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox