Openembedded Core Discussions
 help / color / mirror / Atom feed
* [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
@ 2026-05-20  8:13 hsimeliere.opensource
  2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
                   ` (6 more replies)
  0 siblings, 7 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:13 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].
Pick pre-patch [3] to minimize conflicts.

[1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
[2] https://security-tracker.debian.org/tracker/CVE-2026-33846
[3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-33846-pre.patch    | 97 +++++++++++++++++++
 .../gnutls/gnutls/CVE-2026-33846.patch        | 67 +++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
 3 files changed, 166 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
new file mode 100644
index 0000000000..71266cb338
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
@@ -0,0 +1,97 @@
+From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 17:49:31 +0200
+Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
+
+I had vague concerns about thread-safety of this,
+but then this pattern already exists within the file.
+
+CVE: CVE-2026-33846
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 52 +++++++++++++++++----------------------------------
+ 1 file changed, 17 insertions(+), 35 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 672380b05..d54c77022 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 	int exists = 0, i, pos = 0;
+ 	int ret;
+ 
++	handshake_buffer_st *recv_buf =
++		session->internals.handshake_recv_buffer;
++
+ 	for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
+-		if (session->internals.handshake_recv_buffer[i].htype ==
+-		    hsk->htype) {
++		if (recv_buf[i].htype == hsk->htype) {
+ 			exists = 1;
+ 			pos = i;
+ 			break;
+@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 		_gnutls_write_uint24(0, &hsk->header[6]);
+ 		_gnutls_write_uint24(hsk->length, &hsk->header[9]);
+ 
+-		_gnutls_handshake_buffer_move(
+-			&session->internals.handshake_recv_buffer[pos], hsk);
++		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+ 
+ 	} else {
+-		if (hsk->start_offset <
+-			    session->internals.handshake_recv_buffer[pos]
+-				    .start_offset &&
+-		    hsk->end_offset + 1 >=
+-			    session->internals.handshake_recv_buffer[pos]
+-				    .start_offset) {
+-			memcpy(&session->internals.handshake_recv_buffer[pos]
+-					.data.data[hsk->start_offset],
++		if (hsk->start_offset < recv_buf[pos].start_offset &&
++		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ 			       hsk->data.data, hsk->data.length);
+-			session->internals.handshake_recv_buffer[pos]
+-				.start_offset = hsk->start_offset;
+-			session->internals.handshake_recv_buffer[pos]
+-				.end_offset = MIN(
+-				hsk->end_offset,
+-				session->internals.handshake_recv_buffer[pos]
+-					.end_offset);
+-		} else if (hsk->end_offset >
+-				   session->internals.handshake_recv_buffer[pos]
+-					   .end_offset &&
+-			   hsk->start_offset <=
+-				   session->internals.handshake_recv_buffer[pos]
+-						   .end_offset +
+-					   1) {
+-			memcpy(&session->internals.handshake_recv_buffer[pos]
+-					.data.data[hsk->start_offset],
++			recv_buf[pos].start_offset = hsk->start_offset;
++			recv_buf[pos].end_offset =
++				MIN(hsk->end_offset, recv_buf[pos].end_offset);
++		} else if (hsk->end_offset > recv_buf[pos].end_offset &&
++			   hsk->start_offset <= recv_buf[pos].end_offset + 1) {
++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ 			       hsk->data.data, hsk->data.length);
+ 
+-			session->internals.handshake_recv_buffer[pos]
+-				.end_offset = hsk->end_offset;
+-			session->internals.handshake_recv_buffer[pos]
+-				.start_offset = MIN(
+-				hsk->start_offset,
+-				session->internals.handshake_recv_buffer[pos]
+-					.start_offset);
++			recv_buf[pos].end_offset = hsk->end_offset;
++			recv_buf[pos].start_offset = MIN(
++				hsk->start_offset, recv_buf[pos].start_offset);
+ 		}
+ 		_gnutls_handshake_buffer_clear(hsk);
+ 	}
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
new file mode 100644
index 0000000000..e7d5cc6c2b
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
@@ -0,0 +1,67 @@
+From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 18:21:36 +0200
+Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
+
+Previously, gnutls didn't check that DTLS fragments claimed
+a consistent message_length value.
+Additionally, a crucial array size check was missing,
+enabling an attacker to cause a heap overwrite.
+The updated version rejects fragments with mismatching length
+and adds a missing boundary check.
+
+Reported-by: Haruto Kimura (Stella)
+Reported-by: Oscar Reparaz
+Reported-by: Zou Dikai
+Fixes: #1816
+Fixes: #1838
+Fixes: #1839
+Fixes: CVE-2026-33846
+Fixes: GNUTLS-SA-2026-04-29-1
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-33846
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index d54c77022..5d4d16276 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+ 
+ 	} else {
++		if (hsk->length != recv_buf[pos].length) {
++			/* inconsistent across fragments */
++			_gnutls_handshake_buffer_clear(hsk);
++			return gnutls_assert_val(
++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++		}
++		/* start_offset + data.length <= hsk->length <= max_length */
++		if (hsk->length < hsk->start_offset + hsk->data.length) {
++			/* impossible claims, overflow requested */
++			_gnutls_handshake_buffer_clear(hsk);
++			return gnutls_assert_val(
++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++		}
++		if (hsk->length > recv_buf[pos].data.max_length) {
++			/* we don't have this much allocated, overflow guard */
++			_gnutls_handshake_buffer_clear(hsk);
++			return gnutls_assert_val(
++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++		}
++
+ 		if (hsk->start_offset < recv_buf[pos].start_offset &&
+ 		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
+ 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index ccb6a2b4b2..e40a654a8e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2025-14831-7.patch \
            file://CVE-2025-14831-8.patch \
            file://CVE-2025-14831-9.patch \
+           file://CVE-2026-33846-pre.patch \
+           file://CVE-2026-33846.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
@ 2026-05-20  8:13 ` hsimeliere.opensource
  2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:13 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].
Pick pre-patch [3] to minimize conflicts.

[1] https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413
[2] https://security-tracker.debian.org/tracker/CVE-2026-33845
[3] https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-33845-pre.patch    |  97 ++++++++++
 .../gnutls/gnutls/CVE-2026-33845.patch        | 172 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   2 +
 3 files changed, 271 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
new file mode 100644
index 0000000000..0eaccd5ba9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
@@ -0,0 +1,97 @@
+From f2f852f604d73f890f977bab9792fbc4c20adbcd Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 22 Apr 2026 14:19:57 +0200
+Subject: [PATCH 1/2] buffers: rename a variable in parse_handshake_header
+
+CVE: CVE-2026-33845
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit bd70e112d4d1f063223f0f0886aaaf33699390d0)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 5d4d16276..705c77f91 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -857,7 +857,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ {
+ 	uint8_t *dataptr = NULL; /* for realloc */
+ 	size_t handshake_header_size = HANDSHAKE_HEADER_SIZE(session),
+-	       data_size, frag_size;
++	       data_size, frag_length;
+ 
+ 	/* Note: SSL2_HEADERS == 1 */
+ 	if (_mbuffer_get_udata_size(bufel) < handshake_header_size)
+@@ -872,7 +872,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 		handshake_header_size =
+ 			SSL2_HEADERS; /* we've already read one byte */
+ 
+-		frag_size =
++		frag_length =
+ 			_mbuffer_get_udata_size(bufel) -
+ 			handshake_header_size; /* we've read the first byte */
+ 
+@@ -883,7 +883,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 
+ 		hsk->sequence = 0;
+ 		hsk->start_offset = 0;
+-		hsk->length = frag_size;
++		hsk->length = frag_length;
+ 	} else
+ #endif
+ 	{ /* TLS or DTLS handshake headers */
+@@ -898,13 +898,13 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 		if (IS_DTLS(session)) {
+ 			hsk->sequence = _gnutls_read_uint16(&dataptr[4]);
+ 			hsk->start_offset = _gnutls_read_uint24(&dataptr[6]);
+-			frag_size = _gnutls_read_uint24(&dataptr[9]);
++			frag_length = _gnutls_read_uint24(&dataptr[9]);
+ 		} else {
+ 			hsk->sequence = 0;
+ 			hsk->start_offset = 0;
+-			frag_size = MIN((_mbuffer_get_udata_size(bufel) -
+-					 handshake_header_size),
+-					hsk->length);
++			frag_length = MIN((_mbuffer_get_udata_size(bufel) -
++					   handshake_header_size),
++					  hsk->length);
+ 		}
+ 
+ 		/* TLS1.3: distinguish server hello versus hello retry request.
+@@ -923,8 +923,8 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 	}
+ 	data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+ 
+-	if (frag_size > 0)
+-		hsk->end_offset = hsk->start_offset + frag_size - 1;
++	if (frag_length > 0)
++		hsk->end_offset = hsk->start_offset + frag_length - 1;
+ 	else
+ 		hsk->end_offset = 0;
+ 
+@@ -932,15 +932,15 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 		"HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
+ 		session, _gnutls_handshake2str(hsk->htype),
+ 		(unsigned)hsk->htype, (int)hsk->length, (int)data_size,
+-		hsk->start_offset, (int)frag_size, (int)hsk->sequence);
++		hsk->start_offset, (int)frag_length, (int)hsk->sequence);
+ 
+ 	hsk->header_size = handshake_header_size;
+ 	memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
+ 	       handshake_header_size);
+ 
+ 	if (hsk->length > 0 &&
+-	    (frag_size > data_size ||
+-	     (frag_size > 0 && hsk->end_offset >= hsk->length))) {
++	    (frag_length > data_size ||
++	     (frag_length > 0 && hsk->end_offset >= hsk->length))) {
+ 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ 	} else if (hsk->length == 0 && hsk->end_offset != 0 &&
+ 		   hsk->start_offset != 0)
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch
new file mode 100644
index 0000000000..d9af55d263
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch
@@ -0,0 +1,172 @@
+From a6fc5c6fbfe10acd087cd233e73c5cfefbd2762a Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 23 Mar 2026 15:09:43 +0100
+Subject: [PATCH 2/2] buffers: switch from end_offset over to frag_length
+
+Instead of maintaining an inclusive [start_offset, end_offset] range
+when reassembling DTLS handshake,
+track start_offset and a relative frag_length instead.
+
+You'd think it'd be a no-op, but it fixes:
+
+* 0-length fragments triggering completion if message was 1 byte long
+* a remotely triggerable underflow and an ensuing heap overrun
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1811
+Fixes: CVE-2026-33845
+Fixes: GNUTLS-SA-2026-04-29-3
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-33845
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit e5b72c53c7d789d19d1d1cd10b275e87d0415413)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c    | 51 +++++++++++++++++++++++++-----------------------
+ lib/gnutls_int.h |  4 ++--
+ 2 files changed, 29 insertions(+), 26 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 705c77f91..9075a2009 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -923,10 +923,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 	}
+ 	data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+ 
+-	if (frag_length > 0)
+-		hsk->end_offset = hsk->start_offset + frag_length - 1;
+-	else
+-		hsk->end_offset = 0;
++	hsk->frag_length = frag_length;
+ 
+ 	_gnutls_handshake_log(
+ 		"HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
+@@ -940,9 +937,11 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ 
+ 	if (hsk->length > 0 &&
+ 	    (frag_length > data_size ||
+-	     (frag_length > 0 && hsk->end_offset >= hsk->length))) {
++	     (frag_length > 0 &&
++	      hsk->start_offset + frag_length > hsk->length))) {
+ 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+-	} else if (hsk->length == 0 && hsk->end_offset != 0 &&
++	} else if (hsk->length == 0 &&
++		   hsk->start_offset + frag_length != hsk->start_offset &&
+ 		   hsk->start_offset != 0)
+ 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ 
+@@ -993,11 +992,10 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 			hsk->data.length = hsk->length;
+ 		}
+ 
+-		if (hsk->length > 0 && hsk->end_offset > 0 &&
+-		    hsk->end_offset - hsk->start_offset + 1 != hsk->length) {
++		if (hsk->length > 0 && hsk->frag_length > 0 &&
++		    hsk->frag_length != hsk->length) {
+ 			memmove(&hsk->data.data[hsk->start_offset],
+-				hsk->data.data,
+-				hsk->end_offset - hsk->start_offset + 1);
++				hsk->data.data, hsk->frag_length);
+ 		}
+ 
+ 		session->internals.handshake_recv_buffer_size++;
+@@ -1031,20 +1029,27 @@ static int merge_handshake_packet(gnutls_session_t session,
+ 		}
+ 
+ 		if (hsk->start_offset < recv_buf[pos].start_offset &&
+-		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
++		    hsk->start_offset + hsk->frag_length >=
++			    recv_buf[pos].start_offset) {
+ 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ 			       hsk->data.data, hsk->data.length);
+ 			recv_buf[pos].start_offset = hsk->start_offset;
+-			recv_buf[pos].end_offset =
+-				MIN(hsk->end_offset, recv_buf[pos].end_offset);
+-		} else if (hsk->end_offset > recv_buf[pos].end_offset &&
+-			   hsk->start_offset <= recv_buf[pos].end_offset + 1) {
++			recv_buf[pos].frag_length = MIN(
++				hsk->frag_length, recv_buf[pos].frag_length);
++		} else if (hsk->start_offset + hsk->frag_length >
++				   recv_buf[pos].start_offset +
++					   recv_buf[pos].frag_length &&
++			   hsk->start_offset <=
++				   recv_buf[pos].start_offset +
++					   recv_buf[pos].frag_length) {
+ 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ 			       hsk->data.data, hsk->data.length);
+ 
+-			recv_buf[pos].end_offset = hsk->end_offset;
+ 			recv_buf[pos].start_offset = MIN(
+ 				hsk->start_offset, recv_buf[pos].start_offset);
++			recv_buf[pos].frag_length = hsk->start_offset +
++						    hsk->frag_length -
++						    recv_buf[pos].start_offset;
+ 		}
+ 		_gnutls_handshake_buffer_clear(hsk);
+ 	}
+@@ -1104,8 +1109,8 @@ static int get_last_packet(gnutls_session_t session,
+ 		}
+ 
+ 		else if ((recv_buf[LAST_ELEMENT].start_offset == 0 &&
+-			  recv_buf[LAST_ELEMENT].end_offset ==
+-				  recv_buf[LAST_ELEMENT].length - 1) ||
++			  recv_buf[LAST_ELEMENT].frag_length ==
++				  recv_buf[LAST_ELEMENT].length) ||
+ 			 recv_buf[LAST_ELEMENT].length == 0) {
+ 			session->internals.dtls.hsk_read_seq++;
+ 			_gnutls_handshake_buffer_move(hsk,
+@@ -1116,8 +1121,9 @@ static int get_last_packet(gnutls_session_t session,
+ 			/* if we don't have a complete handshake message, but we
+ 			 * have queued data waiting, try again to reconstruct the
+ 			 * handshake packet, using the queued */
+-			if (recv_buf[LAST_ELEMENT].end_offset !=
+-				    recv_buf[LAST_ELEMENT].length - 1 &&
++			if ((recv_buf[LAST_ELEMENT].start_offset +
++			     recv_buf[LAST_ELEMENT].frag_length) !=
++				    recv_buf[LAST_ELEMENT].length &&
+ 			    record_check_unprocessed(session) > 0)
+ 				return gnutls_assert_val(
+ 					GNUTLS_E_INT_CHECK_AGAIN);
+@@ -1304,9 +1310,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
+ 					&session->internals.record_buffer,
+ 					bufel, ret);
+ 
+-				data_size = MIN(tmp.length,
+-						tmp.end_offset -
+-							tmp.start_offset + 1);
++				data_size = MIN(tmp.length, tmp.frag_length);
+ 
+ 				ret = _gnutls_buffer_append_data(
+ 					&tmp.data,
+@@ -1322,7 +1326,6 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
+ 				ret = merge_handshake_packet(session, &tmp);
+ 				if (ret < 0)
+ 					return gnutls_assert_val(ret);
+-
+ 			} while (_mbuffer_get_udata_size(bufel) > 0);
+ 
+ 			prev = bufel;
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 8cf9a8715..689dcdc41 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -479,10 +479,10 @@ typedef struct {
+ 	uint16_t sequence;
+ 
+ 	/* indicate whether that message is complete.
+-	 * complete means start_offset == 0 and end_offset == length
++	 * complete means start_offset == 0 and frag_length == length
+ 	 */
+ 	uint32_t start_offset;
+-	uint32_t end_offset;
++	uint32_t frag_length; /* used exclusively in DTLS reassembly */
+ 
+ 	uint8_t header[MAX_HANDSHAKE_HEADER_SIZE];
+ 	int header_size;
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index e40a654a8e..702a83fc85 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -45,6 +45,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2025-14831-9.patch \
            file://CVE-2026-33846-pre.patch \
            file://CVE-2026-33846.patch \
+           file://CVE-2026-33845-pre.patch \
+           file://CVE-2026-33845.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
  2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
@ 2026-05-20  8:13 ` hsimeliere.opensource
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:13 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5
[2] https://security-tracker.debian.org/tracker/CVE-2026-3833

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-3833.patch         | 94 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
new file mode 100644
index 0000000000..cca4ff86f8
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
@@ -0,0 +1,94 @@
+From 2e8c3569d125d188b293d132c040201aae6ceb16 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 16 Mar 2026 15:29:40 +0100
+Subject: [PATCH] x509/name-constraints: compare domain names case-insensitive
+
+RFC 5280 7.2:
+> When comparing DNS names for equality, conforming implementations
+> MUST perform a case-insensitive exact match on the entire DNS name.
+> When evaluating name constraints, conforming implementations MUST
+> perform a case-insensitive exact match on a label-by-label basis.
+
+Domain name comparison during name constraints processing
+was case-sensitive. For excluded name constraints, this could lead to
+incorrectly accepting domain names that should've been rejected.
+The code for comparing domain names and domain name parts of emails
+has been modified to perform case-insensitive comparison instead.
+
+Reported-by: Oleh Konko <security@1seal.org>
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1223
+Fixes: #1803
+Fixes: #1852
+Fixes: CVE-2026-3833
+Fixes: GNUTLS-SA-2026-04-29-5
+
+CVE: CVE-2026-3833
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5]
+
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 19f6508647bdcd3ce21130201e484d7ca6d962c5)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/x509/name_constraints.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 04722bdf4..dee045d25 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -35,6 +35,7 @@
+ #include "x509_int.h"
+ #include "x509_ext_int.h"
+ #include <libtasn1.h>
++#include "c-strcase.h"
+ 
+ #include "ip.h"
+ #include "ip-in-cidr.h"
+@@ -80,7 +81,7 @@ enum name_constraint_relation {
+ 	NC_SORTS_AFTER = 2 /* unrelated constraints */
+ };
+ 
+-/* A helper to compare just a pair of strings with this rich comparison */
++/* Helpers to compare just a pair of strings with this rich comparison */
+ static enum name_constraint_relation
+ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+ {
+@@ -96,6 +97,22 @@ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+ 	return NC_EQUAL;
+ }
+ 
++static enum name_constraint_relation
++compare_strings_case_insensitive(const void *n1, size_t n1_len, const void *n2,
++				 size_t n2_len)
++{
++	int r = c_strncasecmp(n1, n2, MIN(n1_len, n2_len));
++	if (r < 0)
++		return NC_SORTS_BEFORE;
++	if (r > 0)
++		return NC_SORTS_AFTER;
++	if (n1_len < n2_len)
++		return NC_SORTS_BEFORE;
++	if (n1_len > n2_len)
++		return NC_SORTS_AFTER;
++	return NC_EQUAL;
++}
++
+ /* Rich-compare DNS names. Example order/relationships:
+  * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
+ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
+@@ -121,8 +138,8 @@ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
+ 		while (j && n2->data[j - 1] != '.')
+ 			j--;
+ 
+-		rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
+-				      j_end - j);
++		rel = compare_strings_case_insensitive(&n1->data[i], i_end - i,
++						       &n2->data[j], j_end - j);
+ 		if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
+ 			return NC_SORTS_BEFORE;
+ 		if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 702a83fc85..69f90a3c01 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -47,6 +47,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-33846.patch \
            file://CVE-2026-33845-pre.patch \
            file://CVE-2026-33845.patch \
+           file://CVE-2026-3833.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
  2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
  2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
@ 2026-05-20  8:14 ` hsimeliere.opensource
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca
[2] https://security-tracker.debian.org/tracker/CVE-2026-42015

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-42015.patch        | 50 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
new file mode 100644
index 0000000000..dfc3506ccc
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
@@ -0,0 +1,50 @@
+From 264da2a72033ed8890105231e5d36263d403ca60 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 22:42:20 +0200
+Subject: [PATCH] x509/pkcs12_bag: fix off-by-one in bag element bounds check
+
+Appending elements to a PKCS#12 bag had a bounds check that
+prevented adding the 32nd element.
+On the other hand, it is possible to import one that already has 32.
+Subsequent appending then led to writing past the 32-element array,
+smashing its length.
+
+Tighten the check to reject any bag with 32 or more elements.
+
+We'll treat this vulnerability as a Low due to how contrived
+the requirements are: for the code to be vulnerable,
+it needs to append to an imported untrusted unencrypted PKCS#12 structure.
+
+Reported-by: Zou Dikai
+Fixes: #1840
+Fixes: CVE-2026-42015
+Fixes: GNUTLS-SA-2026-04-29-11
+CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
+Severity: Low
+
+CVE: CVE-2026-42015
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/x509/pkcs12_bag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
+index 911aeff93..38228613c 100644
+--- a/lib/x509/pkcs12_bag.c
++++ b/lib/x509/pkcs12_bag.c
+@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
+ 		return GNUTLS_E_INVALID_REQUEST;
+ 	}
+ 
+-	if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) {
++	if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) {
+ 		gnutls_assert();
+ 		/* bag is full */
+ 		return GNUTLS_E_MEMORY_ERROR;
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 69f90a3c01..20946c1030 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-33845-pre.patch \
            file://CVE-2026-33845.patch \
            file://CVE-2026-3833.patch \
+           file://CVE-2026-42015.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
                   ` (2 preceding siblings ...)
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
@ 2026-05-20  8:14 ` hsimeliere.opensource
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701
[2] https://security-tracker.debian.org/tracker/CVE-2026-42014

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-42014.patch        | 67 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
new file mode 100644
index 0000000000..ceaf05bf1e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
@@ -0,0 +1,67 @@
+From b48f025e58763f3975e5d65d698df27a5211bc51 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 18 Mar 2026 18:19:06 +0100
+Subject: [PATCH] pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
+
+Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
+oldpin == NULL for a token that lacks a protected authentication path
+led to a use-after-free.
+
+Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team
+Fixes: #1766
+Fixes: #1809
+Fixes: CVE-2026-42014
+Fixes: GNUTLS-SA-2026-04-29-9
+CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+
+CVE: CVE-2026-42014
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 3957f136e2ed23caf176a594b54b3827f5cef701)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/pkcs11_write.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index 961e1b9d8..9fe571ea2 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -1267,10 +1267,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 		ses_flags = SESSION_WRITE | SESSION_LOGIN;
+ 
+ 	ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags);
+-	p11_kit_uri_free(info);
+-
+ 	if (ret < 0) {
+ 		gnutls_assert();
++		p11_kit_uri_free(info);
+ 		return ret;
+ 	}
+ 
+@@ -1291,9 +1290,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 		oldpin_size = L(oldpin);
+ 
+ 		if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
+-			if (newpin == NULL)
+-				return gnutls_assert_val(
++			if (newpin == NULL) {
++				ret = gnutls_assert_val(
+ 					GNUTLS_E_INVALID_REQUEST);
++				goto finish;
++			}
+ 
+ 			if (oldpin == NULL) {
+ 				struct pin_info_st pin_info;
+@@ -1325,6 +1326,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ 	ret = 0;
+ 
+ finish:
++	p11_kit_uri_free(info);
+ 	pkcs11_close_session(&sinfo);
+ 	return ret;
+ }
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 20946c1030..dc8e28c99b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-33845.patch \
            file://CVE-2026-3833.patch \
            file://CVE-2026-42015.patch \
+           file://CVE-2026-42014.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
                   ` (3 preceding siblings ...)
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
@ 2026-05-20  8:14 ` hsimeliere.opensource
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
  2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patch from [1] as mentioned in Debian report in [2].

[1] https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5
[2] https://security-tracker.debian.org/tracker/CVE-2026-42010

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-42010.patch        | 42 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch
new file mode 100644
index 0000000000..59454cefe7
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch
@@ -0,0 +1,42 @@
+From 590f730b1cd35202bb372480e6a0ac0c3d31933e Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 21 Apr 2026 19:26:10 +0200
+Subject: [PATCH] lib/auth/rsa_psk: fix binary PSK identity lookup
+
+A server looking up PSK username with a NUL-character in it
+was wrongfully matching username truncated at a NUL-character.
+Fix the check to compare up to the full username length.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1850
+Fixes: CVE-2026-42010
+Fixes: GNUTLS-SA-2026-04-29-4
+CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
+
+CVE: CVE-2026-42010
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit cb1833afd9b6309563211b1c0a7c291f52ca98d5)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/auth/rsa_psk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 399fb4da1..a14de467a 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -321,8 +321,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ 	 * filled in if the key is not found.
+ 	 */
+ 	ret = _gnutls_psk_pwd_find_entry(session, info->username,
+-					 strlen(info->username), &pwd_psk,
+-					 NULL);
++					 info->username_len, &pwd_psk, NULL);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index dc8e28c99b..0b3abb827c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -50,6 +50,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-3833.patch \
            file://CVE-2026-42015.patch \
            file://CVE-2026-42014.patch \
+           file://CVE-2026-42010.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
                   ` (4 preceding siblings ...)
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
@ 2026-05-20  8:14 ` hsimeliere.opensource
  2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
  6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20  8:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY

From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>

Pick patches from [1] and [2] as mentioned in Debian report in [3].

[1] https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f
[2] https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683
[3] https://security-tracker.debian.org/tracker/CVE-2026-5260

Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
 .../gnutls/gnutls/CVE-2026-5260-1.patch       | 78 +++++++++++++++++++
 .../gnutls/gnutls/CVE-2026-5260-2.patch       | 40 ++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
 3 files changed, 120 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
new file mode 100644
index 0000000000..060440e8b7
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
@@ -0,0 +1,78 @@
+From a39a21031f9e56d31747b060f83fb49d1a77f0c5 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 30 Mar 2026 17:31:07 +0200
+Subject: [PATCH 1/2] lib/auth/rsa: check that ciphertext matches the modulus
+ size
+
+A client sending extremely short premaster secret as part of an
+RSA key exchange could've theoretically triggered a short heap overread
+to nowhere when the RSA key was backed with a PKCS#11 token.
+With this fix, the internal decryption function will not be called
+with an mismatching plaintext length specified, avoiding the overread.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1814
+Fixes: CVE-2026-5260
+Fixes: GNUTLS-SA-2026-04-29-10
+CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-5260
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 77228f2d1ac207d2f894e5a168fbb47e5378e42f)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/auth/rsa.c     | 5 +++++
+ lib/auth/rsa_psk.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index b5ecc092f..24c1649be 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -158,6 +158,7 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
+ 	int ret, dsize;
+ 	ssize_t data_size = _data_size;
+ 	volatile uint8_t ver_maj, ver_min;
++	unsigned int key_bits;
+ 
+ #ifdef ENABLE_SSL3
+ 	if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -180,6 +181,10 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
+ 		}
+ 		ciphertext.size = dsize;
+ 	}
++	gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
++					&key_bits);
++	if (ciphertext.size != (key_bits + 7) / 8)
++		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index a14de467a..a1da1b320 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -257,6 +257,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ 	ssize_t data_size = _data_size;
+ 	gnutls_psk_server_credentials_t cred;
+ 	volatile uint8_t ver_maj, ver_min;
++	unsigned int rsa_key_bits;
+ 
+ 	cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
+ 		session, GNUTLS_CRD_PSK);
+@@ -313,6 +314,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ 		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ 	}
+ 	ciphertext.size = dsize;
++	gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
++					&rsa_key_bits);
++	if (ciphertext.size != (rsa_key_bits + 7) / 8)
++		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+ 
+ 	ver_maj = _gnutls_get_adv_version_major(session);
+ 	ver_min = _gnutls_get_adv_version_minor(session);
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch
new file mode 100644
index 0000000000..32181e45da
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch
@@ -0,0 +1,40 @@
+From 9b58b5237713d2189192aa8591b337787ee2edff Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 30 Mar 2026 17:46:40 +0200
+Subject: [PATCH 2/2] lib/pkcs11_privkey: guard against overreading on short
+ ciphertexts
+
+This is an alternative fix for the callee side.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1814
+Fixes: CVE-2026-5260
+Fixes: GNUTLS-SA-2026-04-29-10
+CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-5260
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit cf6bdc5e4df49e5583d3fb4d2296779785f10683)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/pkcs11_privkey.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
+index 5093a6d56..369b034a6 100644
+--- a/lib/pkcs11_privkey.c
++++ b/lib/pkcs11_privkey.c
+@@ -826,7 +826,7 @@ int _gnutls_pkcs11_privkey_decrypt_data2(gnutls_pkcs11_privkey_t key,
+ 	if (ret != 0)
+ 		return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
+ 
+-	buffer = gnutls_malloc(siglen);
++	buffer = gnutls_malloc(MAX((size_t)siglen, plaintext_size));
+ 	if (!buffer) {
+ 		gnutls_assert();
+ 		return GNUTLS_E_MEMORY_ERROR;
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 0b3abb827c..a4a6a5fe21 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -51,6 +51,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-42015.patch \
            file://CVE-2026-42014.patch \
            file://CVE-2026-42010.patch \
+           file://CVE-2026-5260-1.patch \
+           file://CVE-2026-5260-2.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
  2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
                   ` (5 preceding siblings ...)
  2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
@ 2026-06-04  8:57 ` Yoann Congal
  2026-06-04 20:10   ` Yoann Congal
  2026-06-05  8:45   ` Yoann Congal
  6 siblings, 2 replies; 11+ messages in thread
From: Yoann Congal @ 2026-06-04  8:57 UTC (permalink / raw)
  To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>
> Pick patch from [1] as mentioned in Debian report in [2].
> Pick pre-patch [3] to minimize conflicts.
>
> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>
> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
> ---
>  .../gnutls/gnutls/CVE-2026-33846-pre.patch    | 97 +++++++++++++++++++
>  .../gnutls/gnutls/CVE-2026-33846.patch        | 67 +++++++++++++
>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
>  3 files changed, 166 insertions(+)
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> new file mode 100644
> index 0000000000..71266cb338
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> @@ -0,0 +1,97 @@
> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Fri, 17 Apr 2026 17:49:31 +0200
> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf

As far as I can tell this patch is only cosmetic and I'd rather not
merge it unless you have a compeling reason.

To apply CVE-2026-33846.patch, it looks like you will need to change it
to use "session->internals.handshake_recv_buffer" instead of "recv_buf".

Regards,

> +
> +I had vague concerns about thread-safety of this,
> +but then this pattern already exists within the file.
> +
> +CVE: CVE-2026-33846
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> +---
> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
> + 1 file changed, 17 insertions(+), 35 deletions(-)
> +
> +diff --git a/lib/buffers.c b/lib/buffers.c
> +index 672380b05..d54c77022 100644
> +--- a/lib/buffers.c
> ++++ b/lib/buffers.c
> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
> + 	int exists = 0, i, pos = 0;
> + 	int ret;
> + 
> ++	handshake_buffer_st *recv_buf =
> ++		session->internals.handshake_recv_buffer;
> ++
> + 	for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
> +-		if (session->internals.handshake_recv_buffer[i].htype ==
> +-		    hsk->htype) {
> ++		if (recv_buf[i].htype == hsk->htype) {
> + 			exists = 1;
> + 			pos = i;
> + 			break;
> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
> + 		_gnutls_write_uint24(0, &hsk->header[6]);
> + 		_gnutls_write_uint24(hsk->length, &hsk->header[9]);
> + 
> +-		_gnutls_handshake_buffer_move(
> +-			&session->internals.handshake_recv_buffer[pos], hsk);
> ++		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> + 
> + 	} else {
> +-		if (hsk->start_offset <
> +-			    session->internals.handshake_recv_buffer[pos]
> +-				    .start_offset &&
> +-		    hsk->end_offset + 1 >=
> +-			    session->internals.handshake_recv_buffer[pos]
> +-				    .start_offset) {
> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
> +-					.data.data[hsk->start_offset],
> ++		if (hsk->start_offset < recv_buf[pos].start_offset &&
> ++		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> + 			       hsk->data.data, hsk->data.length);
> +-			session->internals.handshake_recv_buffer[pos]
> +-				.start_offset = hsk->start_offset;
> +-			session->internals.handshake_recv_buffer[pos]
> +-				.end_offset = MIN(
> +-				hsk->end_offset,
> +-				session->internals.handshake_recv_buffer[pos]
> +-					.end_offset);
> +-		} else if (hsk->end_offset >
> +-				   session->internals.handshake_recv_buffer[pos]
> +-					   .end_offset &&
> +-			   hsk->start_offset <=
> +-				   session->internals.handshake_recv_buffer[pos]
> +-						   .end_offset +
> +-					   1) {
> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
> +-					.data.data[hsk->start_offset],
> ++			recv_buf[pos].start_offset = hsk->start_offset;
> ++			recv_buf[pos].end_offset =
> ++				MIN(hsk->end_offset, recv_buf[pos].end_offset);
> ++		} else if (hsk->end_offset > recv_buf[pos].end_offset &&
> ++			   hsk->start_offset <= recv_buf[pos].end_offset + 1) {
> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> + 			       hsk->data.data, hsk->data.length);
> + 
> +-			session->internals.handshake_recv_buffer[pos]
> +-				.end_offset = hsk->end_offset;
> +-			session->internals.handshake_recv_buffer[pos]
> +-				.start_offset = MIN(
> +-				hsk->start_offset,
> +-				session->internals.handshake_recv_buffer[pos]
> +-					.start_offset);
> ++			recv_buf[pos].end_offset = hsk->end_offset;
> ++			recv_buf[pos].start_offset = MIN(
> ++				hsk->start_offset, recv_buf[pos].start_offset);
> + 		}
> + 		_gnutls_handshake_buffer_clear(hsk);
> + 	}
> +-- 
> +2.43.0
> +
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> new file mode 100644
> index 0000000000..e7d5cc6c2b
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> @@ -0,0 +1,67 @@
> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Fri, 17 Apr 2026 18:21:36 +0200
> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
> +
> +Previously, gnutls didn't check that DTLS fragments claimed
> +a consistent message_length value.
> +Additionally, a crucial array size check was missing,
> +enabling an attacker to cause a heap overwrite.
> +The updated version rejects fragments with mismatching length
> +and adds a missing boundary check.
> +
> +Reported-by: Haruto Kimura (Stella)
> +Reported-by: Oscar Reparaz
> +Reported-by: Zou Dikai
> +Fixes: #1816
> +Fixes: #1838
> +Fixes: #1839
> +Fixes: CVE-2026-33846
> +Fixes: GNUTLS-SA-2026-04-29-1
> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> +
> +CVE: CVE-2026-33846
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> +---
> + lib/buffers.c | 20 ++++++++++++++++++++
> + 1 file changed, 20 insertions(+)
> +
> +diff --git a/lib/buffers.c b/lib/buffers.c
> +index d54c77022..5d4d16276 100644
> +--- a/lib/buffers.c
> ++++ b/lib/buffers.c
> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
> + 		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> + 
> + 	} else {
> ++		if (hsk->length != recv_buf[pos].length) {
> ++			/* inconsistent across fragments */
> ++			_gnutls_handshake_buffer_clear(hsk);
> ++			return gnutls_assert_val(
> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++		}
> ++		/* start_offset + data.length <= hsk->length <= max_length */
> ++		if (hsk->length < hsk->start_offset + hsk->data.length) {
> ++			/* impossible claims, overflow requested */
> ++			_gnutls_handshake_buffer_clear(hsk);
> ++			return gnutls_assert_val(
> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++		}
> ++		if (hsk->length > recv_buf[pos].data.max_length) {
> ++			/* we don't have this much allocated, overflow guard */
> ++			_gnutls_handshake_buffer_clear(hsk);
> ++			return gnutls_assert_val(
> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++		}
> ++
> + 		if (hsk->start_offset < recv_buf[pos].start_offset &&
> + 		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> + 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> +-- 
> +2.43.0
> +
> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> index ccb6a2b4b2..e40a654a8e 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>             file://CVE-2025-14831-7.patch \
>             file://CVE-2025-14831-8.patch \
>             file://CVE-2025-14831-9.patch \
> +           file://CVE-2026-33846-pre.patch \
> +           file://CVE-2026-33846.patch \
>             "
>  
>  SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"


-- 
Yoann Congal
Smile ECS



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
  2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
@ 2026-06-04 20:10   ` Yoann Congal
  2026-07-06 10:48     ` Yoann Congal
  2026-06-05  8:45   ` Yoann Congal
  1 sibling, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-06-04 20:10 UTC (permalink / raw)
  To: Yoann Congal, hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>
>> Pick patch from [1] as mentioned in Debian report in [2].
>> Pick pre-patch [3] to minimize conflicts.
>>
>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78

Hello (again),

This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
So, this patch (as well as at least 2/7, I have not checked the others) must
be sent to wrynose before I can accept them on scarthgap. Can you do
that and ping back here when it's done?

Thanks!

>> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
>> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>>
>> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
>> ---
>>  .../gnutls/gnutls/CVE-2026-33846-pre.patch    | 97 +++++++++++++++++++
>>  .../gnutls/gnutls/CVE-2026-33846.patch        | 67 +++++++++++++
>>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
>>  3 files changed, 166 insertions(+)
>>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>>
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> new file mode 100644
>> index 0000000000..71266cb338
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> @@ -0,0 +1,97 @@
>> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 17:49:31 +0200
>> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>
> Regards,
>
>> +
>> +I had vague concerns about thread-safety of this,
>> +but then this pattern already exists within the file.
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
>> + 1 file changed, 17 insertions(+), 35 deletions(-)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index 672380b05..d54c77022 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 	int exists = 0, i, pos = 0;
>> + 	int ret;
>> + 
>> ++	handshake_buffer_st *recv_buf =
>> ++		session->internals.handshake_recv_buffer;
>> ++
>> + 	for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
>> +-		if (session->internals.handshake_recv_buffer[i].htype ==
>> +-		    hsk->htype) {
>> ++		if (recv_buf[i].htype == hsk->htype) {
>> + 			exists = 1;
>> + 			pos = i;
>> + 			break;
>> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 		_gnutls_write_uint24(0, &hsk->header[6]);
>> + 		_gnutls_write_uint24(hsk->length, &hsk->header[9]);
>> + 
>> +-		_gnutls_handshake_buffer_move(
>> +-			&session->internals.handshake_recv_buffer[pos], hsk);
>> ++		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> + 
>> + 	} else {
>> +-		if (hsk->start_offset <
>> +-			    session->internals.handshake_recv_buffer[pos]
>> +-				    .start_offset &&
>> +-		    hsk->end_offset + 1 >=
>> +-			    session->internals.handshake_recv_buffer[pos]
>> +-				    .start_offset) {
>> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
>> +-					.data.data[hsk->start_offset],
>> ++		if (hsk->start_offset < recv_buf[pos].start_offset &&
>> ++		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + 			       hsk->data.data, hsk->data.length);
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.start_offset = hsk->start_offset;
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.end_offset = MIN(
>> +-				hsk->end_offset,
>> +-				session->internals.handshake_recv_buffer[pos]
>> +-					.end_offset);
>> +-		} else if (hsk->end_offset >
>> +-				   session->internals.handshake_recv_buffer[pos]
>> +-					   .end_offset &&
>> +-			   hsk->start_offset <=
>> +-				   session->internals.handshake_recv_buffer[pos]
>> +-						   .end_offset +
>> +-					   1) {
>> +-			memcpy(&session->internals.handshake_recv_buffer[pos]
>> +-					.data.data[hsk->start_offset],
>> ++			recv_buf[pos].start_offset = hsk->start_offset;
>> ++			recv_buf[pos].end_offset =
>> ++				MIN(hsk->end_offset, recv_buf[pos].end_offset);
>> ++		} else if (hsk->end_offset > recv_buf[pos].end_offset &&
>> ++			   hsk->start_offset <= recv_buf[pos].end_offset + 1) {
>> ++			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + 			       hsk->data.data, hsk->data.length);
>> + 
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.end_offset = hsk->end_offset;
>> +-			session->internals.handshake_recv_buffer[pos]
>> +-				.start_offset = MIN(
>> +-				hsk->start_offset,
>> +-				session->internals.handshake_recv_buffer[pos]
>> +-					.start_offset);
>> ++			recv_buf[pos].end_offset = hsk->end_offset;
>> ++			recv_buf[pos].start_offset = MIN(
>> ++				hsk->start_offset, recv_buf[pos].start_offset);
>> + 		}
>> + 		_gnutls_handshake_buffer_clear(hsk);
>> + 	}
>> +-- 
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> new file mode 100644
>> index 0000000000..e7d5cc6c2b
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> @@ -0,0 +1,67 @@
>> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 18:21:36 +0200
>> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
>> +
>> +Previously, gnutls didn't check that DTLS fragments claimed
>> +a consistent message_length value.
>> +Additionally, a crucial array size check was missing,
>> +enabling an attacker to cause a heap overwrite.
>> +The updated version rejects fragments with mismatching length
>> +and adds a missing boundary check.
>> +
>> +Reported-by: Haruto Kimura (Stella)
>> +Reported-by: Oscar Reparaz
>> +Reported-by: Zou Dikai
>> +Fixes: #1816
>> +Fixes: #1838
>> +Fixes: #1839
>> +Fixes: CVE-2026-33846
>> +Fixes: GNUTLS-SA-2026-04-29-1
>> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
>> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 20 ++++++++++++++++++++
>> + 1 file changed, 20 insertions(+)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index d54c77022..5d4d16276 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + 		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> + 
>> + 	} else {
>> ++		if (hsk->length != recv_buf[pos].length) {
>> ++			/* inconsistent across fragments */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++		/* start_offset + data.length <= hsk->length <= max_length */
>> ++		if (hsk->length < hsk->start_offset + hsk->data.length) {
>> ++			/* impossible claims, overflow requested */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++		if (hsk->length > recv_buf[pos].data.max_length) {
>> ++			/* we don't have this much allocated, overflow guard */
>> ++			_gnutls_handshake_buffer_clear(hsk);
>> ++			return gnutls_assert_val(
>> ++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++		}
>> ++
>> + 		if (hsk->start_offset < recv_buf[pos].start_offset &&
>> + 		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> + 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> +-- 
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> index ccb6a2b4b2..e40a654a8e 100644
>> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>>             file://CVE-2025-14831-7.patch \
>>             file://CVE-2025-14831-8.patch \
>>             file://CVE-2025-14831-9.patch \
>> +           file://CVE-2026-33846-pre.patch \
>> +           file://CVE-2026-33846.patch \
>>             "
>>  
>>  SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"


-- 
Yoann Congal
Smile ECS



^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
  2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
  2026-06-04 20:10   ` Yoann Congal
@ 2026-06-05  8:45   ` Yoann Congal
  1 sibling, 0 replies; 11+ messages in thread
From: Yoann Congal @ 2026-06-05  8:45 UTC (permalink / raw)
  To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

[-- Attachment #1: Type: text/plain, Size: 11588 bytes --]

Le jeu. 4 juin 2026 à 10:57, Yoann Congal <yoann.congal@smile.fr> a écrit :

> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via
> lists.openembedded.org wrote:
> > From: "Hugo SIMELIERE (Schneider Electric)" <
> hsimeliere.opensource@witekio.com>
> >
> > Pick patch from [1] as mentioned in Debian report in [2].
> > Pick pre-patch [3] to minimize conflicts.
> >
> > [1]
> https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> > [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
> > [3]
> https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
> >
> > Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
> > ---
> >  .../gnutls/gnutls/CVE-2026-33846-pre.patch    | 97 +++++++++++++++++++
> >  .../gnutls/gnutls/CVE-2026-33846.patch        | 67 +++++++++++++
> >  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  2 +
> >  3 files changed, 166 insertions(+)
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> >
> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> > new file mode 100644
> > index 0000000000..71266cb338
> > --- /dev/null
> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> > @@ -0,0 +1,97 @@
> > +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
> > +From: Alexander Sosedkin <asosedkin@redhat.com>
> > +Date: Fri, 17 Apr 2026 17:49:31 +0200
> > +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using
> recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>

Hello,

Actually, scratch that. I've discussed it with Paul. In this case, the
review will be easier with the cosmetic "-pre" patches.
So, don't change that. Sorry for the noise.

Regards,


>
> Regards,
>
> > +
> > +I had vague concerns about thread-safety of this,
> > +but then this pattern already exists within the file.
> > +
> > +CVE: CVE-2026-33846
> > +Upstream-Status: Backport [
> https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
> ]
> > +
> > +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> > +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
> > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > +---
> > + lib/buffers.c | 52 +++++++++++++++++----------------------------------
> > + 1 file changed, 17 insertions(+), 35 deletions(-)
> > +
> > +diff --git a/lib/buffers.c b/lib/buffers.c
> > +index 672380b05..d54c77022 100644
> > +--- a/lib/buffers.c
> > ++++ b/lib/buffers.c
> > +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t
> session,
> > +     int exists = 0, i, pos = 0;
> > +     int ret;
> > +
> > ++    handshake_buffer_st *recv_buf =
> > ++            session->internals.handshake_recv_buffer;
> > ++
> > +     for (i = 0; i < session->internals.handshake_recv_buffer_size;
> i++) {
> > +-            if (session->internals.handshake_recv_buffer[i].htype ==
> > +-                hsk->htype) {
> > ++            if (recv_buf[i].htype == hsk->htype) {
> > +                     exists = 1;
> > +                     pos = i;
> > +                     break;
> > +@@ -1005,44 +1007,24 @@ static int
> merge_handshake_packet(gnutls_session_t session,
> > +             _gnutls_write_uint24(0, &hsk->header[6]);
> > +             _gnutls_write_uint24(hsk->length, &hsk->header[9]);
> > +
> > +-            _gnutls_handshake_buffer_move(
> > +-                    &session->internals.handshake_recv_buffer[pos],
> hsk);
> > ++            _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> > +
> > +     } else {
> > +-            if (hsk->start_offset <
> > +-                        session->internals.handshake_recv_buffer[pos]
> > +-                                .start_offset &&
> > +-                hsk->end_offset + 1 >=
> > +-                        session->internals.handshake_recv_buffer[pos]
> > +-                                .start_offset) {
> > +-
> memcpy(&session->internals.handshake_recv_buffer[pos]
> > +-                                    .data.data[hsk->start_offset],
> > ++            if (hsk->start_offset < recv_buf[pos].start_offset &&
> > ++                hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> > ++                    memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > +                            hsk->data.data, hsk->data.length);
> > +-                    session->internals.handshake_recv_buffer[pos]
> > +-                            .start_offset = hsk->start_offset;
> > +-                    session->internals.handshake_recv_buffer[pos]
> > +-                            .end_offset = MIN(
> > +-                            hsk->end_offset,
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +-                                    .end_offset);
> > +-            } else if (hsk->end_offset >
> > +-
>  session->internals.handshake_recv_buffer[pos]
> > +-                                       .end_offset &&
> > +-                       hsk->start_offset <=
> > +-
>  session->internals.handshake_recv_buffer[pos]
> > +-                                               .end_offset +
> > +-                                       1) {
> > +-
> memcpy(&session->internals.handshake_recv_buffer[pos]
> > +-                                    .data.data[hsk->start_offset],
> > ++                    recv_buf[pos].start_offset = hsk->start_offset;
> > ++                    recv_buf[pos].end_offset =
> > ++                            MIN(hsk->end_offset,
> recv_buf[pos].end_offset);
> > ++            } else if (hsk->end_offset > recv_buf[pos].end_offset &&
> > ++                       hsk->start_offset <= recv_buf[pos].end_offset +
> 1) {
> > ++                    memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > +                            hsk->data.data, hsk->data.length);
> > +
> > +-                    session->internals.handshake_recv_buffer[pos]
> > +-                            .end_offset = hsk->end_offset;
> > +-                    session->internals.handshake_recv_buffer[pos]
> > +-                            .start_offset = MIN(
> > +-                            hsk->start_offset,
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +-                                    .start_offset);
> > ++                    recv_buf[pos].end_offset = hsk->end_offset;
> > ++                    recv_buf[pos].start_offset = MIN(
> > ++                            hsk->start_offset,
> recv_buf[pos].start_offset);
> > +             }
> > +             _gnutls_handshake_buffer_clear(hsk);
> > +     }
> > +--
> > +2.43.0
> > +
> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> > new file mode 100644
> > index 0000000000..e7d5cc6c2b
> > --- /dev/null
> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> > @@ -0,0 +1,67 @@
> > +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
> > +From: Alexander Sosedkin <asosedkin@redhat.com>
> > +Date: Fri, 17 Apr 2026 18:21:36 +0200
> > +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
> > +
> > +Previously, gnutls didn't check that DTLS fragments claimed
> > +a consistent message_length value.
> > +Additionally, a crucial array size check was missing,
> > +enabling an attacker to cause a heap overwrite.
> > +The updated version rejects fragments with mismatching length
> > +and adds a missing boundary check.
> > +
> > +Reported-by: Haruto Kimura (Stella)
> > +Reported-by: Oscar Reparaz
> > +Reported-by: Zou Dikai
> > +Fixes: #1816
> > +Fixes: #1838
> > +Fixes: #1839
> > +Fixes: CVE-2026-33846
> > +Fixes: GNUTLS-SA-2026-04-29-1
> > +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
> > +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> > +
> > +CVE: CVE-2026-33846
> > +Upstream-Status: Backport [
> https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> ]
> > +
> > +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> > +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
> > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > +---
> > + lib/buffers.c | 20 ++++++++++++++++++++
> > + 1 file changed, 20 insertions(+)
> > +
> > +diff --git a/lib/buffers.c b/lib/buffers.c
> > +index d54c77022..5d4d16276 100644
> > +--- a/lib/buffers.c
> > ++++ b/lib/buffers.c
> > +@@ -1010,6 +1010,26 @@ static int
> merge_handshake_packet(gnutls_session_t session,
> > +             _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> > +
> > +     } else {
> > ++            if (hsk->length != recv_buf[pos].length) {
> > ++                    /* inconsistent across fragments */
> > ++                    _gnutls_handshake_buffer_clear(hsk);
> > ++                    return gnutls_assert_val(
> > ++                            GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++            }
> > ++            /* start_offset + data.length <= hsk->length <= max_length
> */
> > ++            if (hsk->length < hsk->start_offset + hsk->data.length) {
> > ++                    /* impossible claims, overflow requested */
> > ++                    _gnutls_handshake_buffer_clear(hsk);
> > ++                    return gnutls_assert_val(
> > ++                            GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++            }
> > ++            if (hsk->length > recv_buf[pos].data.max_length) {
> > ++                    /* we don't have this much allocated, overflow
> guard */
> > ++                    _gnutls_handshake_buffer_clear(hsk);
> > ++                    return gnutls_assert_val(
> > ++                            GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++            }
> > ++
> > +             if (hsk->start_offset < recv_buf[pos].start_offset &&
> > +                 hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> > +                     memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > +--
> > +2.43.0
> > +
> > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > index ccb6a2b4b2..e40a654a8e 100644
> > --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > @@ -43,6 +43,8 @@ SRC_URI = "
> https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
> >             file://CVE-2025-14831-7.patch \
> >             file://CVE-2025-14831-8.patch \
> >             file://CVE-2025-14831-9.patch \
> > +           file://CVE-2026-33846-pre.patch \
> > +           file://CVE-2026-33846.patch \
> >             "
> >
> >  SRC_URI[sha256sum] =
> "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
>
>
> --
> Yoann Congal
> Smile ECS
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 16622 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
  2026-06-04 20:10   ` Yoann Congal
@ 2026-07-06 10:48     ` Yoann Congal
  0 siblings, 0 replies; 11+ messages in thread
From: Yoann Congal @ 2026-07-06 10:48 UTC (permalink / raw)
  To: Yoann Congal, hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

On Thu Jun 4, 2026 at 10:10 PM CEST, Yoann Congal wrote:
> On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
>> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>>
>>> Pick patch from [1] as mentioned in Debian report in [2].
>>> Pick pre-patch [3] to minimize conflicts.
>>>
>>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
>
> Hello (again),
>
> This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
> wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
> So, this patch (as well as at least 2/7, I have not checked the others) must
> be sent to wrynose before I can accept them on scarthgap. Can you do
> that and ping back here when it's done?

Hello,

I will now drop this series. If the above situation changes, please send
a new patch.

Regards,
-- 
Yoann Congal
Smile ECS



^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2026-07-06 10:48 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20  8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20  8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
2026-05-20  8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04  8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10   ` Yoann Congal
2026-07-06 10:48     ` Yoann Congal
2026-06-05  8:45   ` Yoann Congal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox