From: "Yoann Congal" <yoann.congal@smile.fr>
To: "Yoann Congal" <yoann.congal@smile.fr>,
<hsimeliere.opensource@witekio.com>,
<openembedded-core@lists.openembedded.org>
Cc: "Bruno VERNAY" <bruno.vernay@se.com>
Subject: Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
Date: Thu, 04 Jun 2026 22:10:06 +0200 [thread overview]
Message-ID: <DJ0JDC0E8QIM.2PLQBKV0K6TIN@smile.fr> (raw)
In-Reply-To: <DJ0529SO7U38.2KY8QAKJ8TRSU@smile.fr>
On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>
>> Pick patch from [1] as mentioned in Debian report in [2].
>> Pick pre-patch [3] to minimize conflicts.
>>
>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
Hello (again),
This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
So, this patch (as well as at least 2/7, I have not checked the others) must
be sent to wrynose before I can accept them on scarthgap. Can you do
that and ping back here when it's done?
Thanks!
>> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
>> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>>
>> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
>> ---
>> .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++
>> .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++
>> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
>> 3 files changed, 166 insertions(+)
>> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>>
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> new file mode 100644
>> index 0000000000..71266cb338
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> @@ -0,0 +1,97 @@
>> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 17:49:31 +0200
>> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>
> Regards,
>
>> +
>> +I had vague concerns about thread-safety of this,
>> +but then this pattern already exists within the file.
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
>> + 1 file changed, 17 insertions(+), 35 deletions(-)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index 672380b05..d54c77022 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + int exists = 0, i, pos = 0;
>> + int ret;
>> +
>> ++ handshake_buffer_st *recv_buf =
>> ++ session->internals.handshake_recv_buffer;
>> ++
>> + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
>> +- if (session->internals.handshake_recv_buffer[i].htype ==
>> +- hsk->htype) {
>> ++ if (recv_buf[i].htype == hsk->htype) {
>> + exists = 1;
>> + pos = i;
>> + break;
>> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + _gnutls_write_uint24(0, &hsk->header[6]);
>> + _gnutls_write_uint24(hsk->length, &hsk->header[9]);
>> +
>> +- _gnutls_handshake_buffer_move(
>> +- &session->internals.handshake_recv_buffer[pos], hsk);
>> ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> +
>> + } else {
>> +- if (hsk->start_offset <
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset &&
>> +- hsk->end_offset + 1 >=
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset) {
>> +- memcpy(&session->internals.handshake_recv_buffer[pos]
>> +- .data.data[hsk->start_offset],
>> ++ if (hsk->start_offset < recv_buf[pos].start_offset &&
>> ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + hsk->data.data, hsk->data.length);
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset = hsk->start_offset;
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset = MIN(
>> +- hsk->end_offset,
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset);
>> +- } else if (hsk->end_offset >
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset &&
>> +- hsk->start_offset <=
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset +
>> +- 1) {
>> +- memcpy(&session->internals.handshake_recv_buffer[pos]
>> +- .data.data[hsk->start_offset],
>> ++ recv_buf[pos].start_offset = hsk->start_offset;
>> ++ recv_buf[pos].end_offset =
>> ++ MIN(hsk->end_offset, recv_buf[pos].end_offset);
>> ++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
>> ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) {
>> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + hsk->data.data, hsk->data.length);
>> +
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset = hsk->end_offset;
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset = MIN(
>> +- hsk->start_offset,
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset);
>> ++ recv_buf[pos].end_offset = hsk->end_offset;
>> ++ recv_buf[pos].start_offset = MIN(
>> ++ hsk->start_offset, recv_buf[pos].start_offset);
>> + }
>> + _gnutls_handshake_buffer_clear(hsk);
>> + }
>> +--
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> new file mode 100644
>> index 0000000000..e7d5cc6c2b
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> @@ -0,0 +1,67 @@
>> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 18:21:36 +0200
>> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
>> +
>> +Previously, gnutls didn't check that DTLS fragments claimed
>> +a consistent message_length value.
>> +Additionally, a crucial array size check was missing,
>> +enabling an attacker to cause a heap overwrite.
>> +The updated version rejects fragments with mismatching length
>> +and adds a missing boundary check.
>> +
>> +Reported-by: Haruto Kimura (Stella)
>> +Reported-by: Oscar Reparaz
>> +Reported-by: Zou Dikai
>> +Fixes: #1816
>> +Fixes: #1838
>> +Fixes: #1839
>> +Fixes: CVE-2026-33846
>> +Fixes: GNUTLS-SA-2026-04-29-1
>> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
>> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 20 ++++++++++++++++++++
>> + 1 file changed, 20 insertions(+)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index d54c77022..5d4d16276 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> +
>> + } else {
>> ++ if (hsk->length != recv_buf[pos].length) {
>> ++ /* inconsistent across fragments */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++ /* start_offset + data.length <= hsk->length <= max_length */
>> ++ if (hsk->length < hsk->start_offset + hsk->data.length) {
>> ++ /* impossible claims, overflow requested */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++ if (hsk->length > recv_buf[pos].data.max_length) {
>> ++ /* we don't have this much allocated, overflow guard */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++
>> + if (hsk->start_offset < recv_buf[pos].start_offset &&
>> + hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> + memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> +--
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> index ccb6a2b4b2..e40a654a8e 100644
>> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>> file://CVE-2025-14831-7.patch \
>> file://CVE-2025-14831-8.patch \
>> file://CVE-2025-14831-9.patch \
>> + file://CVE-2026-33846-pre.patch \
>> + file://CVE-2026-33846.patch \
>> "
>>
>> SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-06-04 20:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10 ` Yoann Congal [this message]
2026-07-06 10:48 ` Yoann Congal
2026-06-05 8:45 ` Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ0JDC0E8QIM.2PLQBKV0K6TIN@smile.fr \
--to=yoann.congal@smile.fr \
--cc=bruno.vernay@se.com \
--cc=hsimeliere.opensource@witekio.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox