* [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
@ 2026-05-20 8:13 ` hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
` (5 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
Pick pre-patch [3] to minimize conflicts.
[1] https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413
[2] https://security-tracker.debian.org/tracker/CVE-2026-33845
[3] https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-33845-pre.patch | 97 ++++++++++
.../gnutls/gnutls/CVE-2026-33845.patch | 172 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
3 files changed, 271 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
new file mode 100644
index 0000000000..0eaccd5ba9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch
@@ -0,0 +1,97 @@
+From f2f852f604d73f890f977bab9792fbc4c20adbcd Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 22 Apr 2026 14:19:57 +0200
+Subject: [PATCH 1/2] buffers: rename a variable in parse_handshake_header
+
+CVE: CVE-2026-33845
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit bd70e112d4d1f063223f0f0886aaaf33699390d0)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 5d4d16276..705c77f91 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -857,7 +857,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ {
+ uint8_t *dataptr = NULL; /* for realloc */
+ size_t handshake_header_size = HANDSHAKE_HEADER_SIZE(session),
+- data_size, frag_size;
++ data_size, frag_length;
+
+ /* Note: SSL2_HEADERS == 1 */
+ if (_mbuffer_get_udata_size(bufel) < handshake_header_size)
+@@ -872,7 +872,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ handshake_header_size =
+ SSL2_HEADERS; /* we've already read one byte */
+
+- frag_size =
++ frag_length =
+ _mbuffer_get_udata_size(bufel) -
+ handshake_header_size; /* we've read the first byte */
+
+@@ -883,7 +883,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+
+ hsk->sequence = 0;
+ hsk->start_offset = 0;
+- hsk->length = frag_size;
++ hsk->length = frag_length;
+ } else
+ #endif
+ { /* TLS or DTLS handshake headers */
+@@ -898,13 +898,13 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ if (IS_DTLS(session)) {
+ hsk->sequence = _gnutls_read_uint16(&dataptr[4]);
+ hsk->start_offset = _gnutls_read_uint24(&dataptr[6]);
+- frag_size = _gnutls_read_uint24(&dataptr[9]);
++ frag_length = _gnutls_read_uint24(&dataptr[9]);
+ } else {
+ hsk->sequence = 0;
+ hsk->start_offset = 0;
+- frag_size = MIN((_mbuffer_get_udata_size(bufel) -
+- handshake_header_size),
+- hsk->length);
++ frag_length = MIN((_mbuffer_get_udata_size(bufel) -
++ handshake_header_size),
++ hsk->length);
+ }
+
+ /* TLS1.3: distinguish server hello versus hello retry request.
+@@ -923,8 +923,8 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ }
+ data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+
+- if (frag_size > 0)
+- hsk->end_offset = hsk->start_offset + frag_size - 1;
++ if (frag_length > 0)
++ hsk->end_offset = hsk->start_offset + frag_length - 1;
+ else
+ hsk->end_offset = 0;
+
+@@ -932,15 +932,15 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ "HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
+ session, _gnutls_handshake2str(hsk->htype),
+ (unsigned)hsk->htype, (int)hsk->length, (int)data_size,
+- hsk->start_offset, (int)frag_size, (int)hsk->sequence);
++ hsk->start_offset, (int)frag_length, (int)hsk->sequence);
+
+ hsk->header_size = handshake_header_size;
+ memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel),
+ handshake_header_size);
+
+ if (hsk->length > 0 &&
+- (frag_size > data_size ||
+- (frag_size > 0 && hsk->end_offset >= hsk->length))) {
++ (frag_length > data_size ||
++ (frag_length > 0 && hsk->end_offset >= hsk->length))) {
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+ } else if (hsk->length == 0 && hsk->end_offset != 0 &&
+ hsk->start_offset != 0)
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch
new file mode 100644
index 0000000000..d9af55d263
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch
@@ -0,0 +1,172 @@
+From a6fc5c6fbfe10acd087cd233e73c5cfefbd2762a Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 23 Mar 2026 15:09:43 +0100
+Subject: [PATCH 2/2] buffers: switch from end_offset over to frag_length
+
+Instead of maintaining an inclusive [start_offset, end_offset] range
+when reassembling DTLS handshake,
+track start_offset and a relative frag_length instead.
+
+You'd think it'd be a no-op, but it fixes:
+
+* 0-length fragments triggering completion if message was 1 byte long
+* a remotely triggerable underflow and an ensuing heap overrun
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1811
+Fixes: CVE-2026-33845
+Fixes: GNUTLS-SA-2026-04-29-3
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-33845
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit e5b72c53c7d789d19d1d1cd10b275e87d0415413)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/buffers.c | 51 +++++++++++++++++++++++++-----------------------
+ lib/gnutls_int.h | 4 ++--
+ 2 files changed, 29 insertions(+), 26 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 705c77f91..9075a2009 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -923,10 +923,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+ }
+ data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+
+- if (frag_length > 0)
+- hsk->end_offset = hsk->start_offset + frag_length - 1;
+- else
+- hsk->end_offset = 0;
++ hsk->frag_length = frag_length;
+
+ _gnutls_handshake_log(
+ "HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n",
+@@ -940,9 +937,11 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel,
+
+ if (hsk->length > 0 &&
+ (frag_length > data_size ||
+- (frag_length > 0 && hsk->end_offset >= hsk->length))) {
++ (frag_length > 0 &&
++ hsk->start_offset + frag_length > hsk->length))) {
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+- } else if (hsk->length == 0 && hsk->end_offset != 0 &&
++ } else if (hsk->length == 0 &&
++ hsk->start_offset + frag_length != hsk->start_offset &&
+ hsk->start_offset != 0)
+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+
+@@ -993,11 +992,10 @@ static int merge_handshake_packet(gnutls_session_t session,
+ hsk->data.length = hsk->length;
+ }
+
+- if (hsk->length > 0 && hsk->end_offset > 0 &&
+- hsk->end_offset - hsk->start_offset + 1 != hsk->length) {
++ if (hsk->length > 0 && hsk->frag_length > 0 &&
++ hsk->frag_length != hsk->length) {
+ memmove(&hsk->data.data[hsk->start_offset],
+- hsk->data.data,
+- hsk->end_offset - hsk->start_offset + 1);
++ hsk->data.data, hsk->frag_length);
+ }
+
+ session->internals.handshake_recv_buffer_size++;
+@@ -1031,20 +1029,27 @@ static int merge_handshake_packet(gnutls_session_t session,
+ }
+
+ if (hsk->start_offset < recv_buf[pos].start_offset &&
+- hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
++ hsk->start_offset + hsk->frag_length >=
++ recv_buf[pos].start_offset) {
+ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+ recv_buf[pos].start_offset = hsk->start_offset;
+- recv_buf[pos].end_offset =
+- MIN(hsk->end_offset, recv_buf[pos].end_offset);
+- } else if (hsk->end_offset > recv_buf[pos].end_offset &&
+- hsk->start_offset <= recv_buf[pos].end_offset + 1) {
++ recv_buf[pos].frag_length = MIN(
++ hsk->frag_length, recv_buf[pos].frag_length);
++ } else if (hsk->start_offset + hsk->frag_length >
++ recv_buf[pos].start_offset +
++ recv_buf[pos].frag_length &&
++ hsk->start_offset <=
++ recv_buf[pos].start_offset +
++ recv_buf[pos].frag_length) {
+ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+
+- recv_buf[pos].end_offset = hsk->end_offset;
+ recv_buf[pos].start_offset = MIN(
+ hsk->start_offset, recv_buf[pos].start_offset);
++ recv_buf[pos].frag_length = hsk->start_offset +
++ hsk->frag_length -
++ recv_buf[pos].start_offset;
+ }
+ _gnutls_handshake_buffer_clear(hsk);
+ }
+@@ -1104,8 +1109,8 @@ static int get_last_packet(gnutls_session_t session,
+ }
+
+ else if ((recv_buf[LAST_ELEMENT].start_offset == 0 &&
+- recv_buf[LAST_ELEMENT].end_offset ==
+- recv_buf[LAST_ELEMENT].length - 1) ||
++ recv_buf[LAST_ELEMENT].frag_length ==
++ recv_buf[LAST_ELEMENT].length) ||
+ recv_buf[LAST_ELEMENT].length == 0) {
+ session->internals.dtls.hsk_read_seq++;
+ _gnutls_handshake_buffer_move(hsk,
+@@ -1116,8 +1121,9 @@ static int get_last_packet(gnutls_session_t session,
+ /* if we don't have a complete handshake message, but we
+ * have queued data waiting, try again to reconstruct the
+ * handshake packet, using the queued */
+- if (recv_buf[LAST_ELEMENT].end_offset !=
+- recv_buf[LAST_ELEMENT].length - 1 &&
++ if ((recv_buf[LAST_ELEMENT].start_offset +
++ recv_buf[LAST_ELEMENT].frag_length) !=
++ recv_buf[LAST_ELEMENT].length &&
+ record_check_unprocessed(session) > 0)
+ return gnutls_assert_val(
+ GNUTLS_E_INT_CHECK_AGAIN);
+@@ -1304,9 +1310,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
+ &session->internals.record_buffer,
+ bufel, ret);
+
+- data_size = MIN(tmp.length,
+- tmp.end_offset -
+- tmp.start_offset + 1);
++ data_size = MIN(tmp.length, tmp.frag_length);
+
+ ret = _gnutls_buffer_append_data(
+ &tmp.data,
+@@ -1322,7 +1326,6 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session)
+ ret = merge_handshake_packet(session, &tmp);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+-
+ } while (_mbuffer_get_udata_size(bufel) > 0);
+
+ prev = bufel;
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index 8cf9a8715..689dcdc41 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -479,10 +479,10 @@ typedef struct {
+ uint16_t sequence;
+
+ /* indicate whether that message is complete.
+- * complete means start_offset == 0 and end_offset == length
++ * complete means start_offset == 0 and frag_length == length
+ */
+ uint32_t start_offset;
+- uint32_t end_offset;
++ uint32_t frag_length; /* used exclusively in DTLS reassembly */
+
+ uint8_t header[MAX_HANDSHAKE_HEADER_SIZE];
+ int header_size;
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index e40a654a8e..702a83fc85 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -45,6 +45,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2025-14831-9.patch \
file://CVE-2026-33846-pre.patch \
file://CVE-2026-33846.patch \
+ file://CVE-2026-33845-pre.patch \
+ file://CVE-2026-33845.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
@ 2026-05-20 8:13 ` hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
` (4 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
[1] https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5
[2] https://security-tracker.debian.org/tracker/CVE-2026-3833
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-3833.patch | 94 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 95 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
new file mode 100644
index 0000000000..cca4ff86f8
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
@@ -0,0 +1,94 @@
+From 2e8c3569d125d188b293d132c040201aae6ceb16 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 16 Mar 2026 15:29:40 +0100
+Subject: [PATCH] x509/name-constraints: compare domain names case-insensitive
+
+RFC 5280 7.2:
+> When comparing DNS names for equality, conforming implementations
+> MUST perform a case-insensitive exact match on the entire DNS name.
+> When evaluating name constraints, conforming implementations MUST
+> perform a case-insensitive exact match on a label-by-label basis.
+
+Domain name comparison during name constraints processing
+was case-sensitive. For excluded name constraints, this could lead to
+incorrectly accepting domain names that should've been rejected.
+The code for comparing domain names and domain name parts of emails
+has been modified to perform case-insensitive comparison instead.
+
+Reported-by: Oleh Konko <security@1seal.org>
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1223
+Fixes: #1803
+Fixes: #1852
+Fixes: CVE-2026-3833
+Fixes: GNUTLS-SA-2026-04-29-5
+
+CVE: CVE-2026-3833
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5]
+
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 19f6508647bdcd3ce21130201e484d7ca6d962c5)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/x509/name_constraints.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 04722bdf4..dee045d25 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -35,6 +35,7 @@
+ #include "x509_int.h"
+ #include "x509_ext_int.h"
+ #include <libtasn1.h>
++#include "c-strcase.h"
+
+ #include "ip.h"
+ #include "ip-in-cidr.h"
+@@ -80,7 +81,7 @@ enum name_constraint_relation {
+ NC_SORTS_AFTER = 2 /* unrelated constraints */
+ };
+
+-/* A helper to compare just a pair of strings with this rich comparison */
++/* Helpers to compare just a pair of strings with this rich comparison */
+ static enum name_constraint_relation
+ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+ {
+@@ -96,6 +97,22 @@ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+ return NC_EQUAL;
+ }
+
++static enum name_constraint_relation
++compare_strings_case_insensitive(const void *n1, size_t n1_len, const void *n2,
++ size_t n2_len)
++{
++ int r = c_strncasecmp(n1, n2, MIN(n1_len, n2_len));
++ if (r < 0)
++ return NC_SORTS_BEFORE;
++ if (r > 0)
++ return NC_SORTS_AFTER;
++ if (n1_len < n2_len)
++ return NC_SORTS_BEFORE;
++ if (n1_len > n2_len)
++ return NC_SORTS_AFTER;
++ return NC_EQUAL;
++}
++
+ /* Rich-compare DNS names. Example order/relationships:
+ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
+ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
+@@ -121,8 +138,8 @@ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
+ while (j && n2->data[j - 1] != '.')
+ j--;
+
+- rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
+- j_end - j);
++ rel = compare_strings_case_insensitive(&n1->data[i], i_end - i,
++ &n2->data[j], j_end - j);
+ if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
+ return NC_SORTS_BEFORE;
+ if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 702a83fc85..69f90a3c01 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -47,6 +47,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-33846.patch \
file://CVE-2026-33845-pre.patch \
file://CVE-2026-33845.patch \
+ file://CVE-2026-3833.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 hsimeliere.opensource
2026-05-20 8:13 ` [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 hsimeliere.opensource
@ 2026-05-20 8:14 ` hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
[1] https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca
[2] https://security-tracker.debian.org/tracker/CVE-2026-42015
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-42015.patch | 50 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
new file mode 100644
index 0000000000..dfc3506ccc
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch
@@ -0,0 +1,50 @@
+From 264da2a72033ed8890105231e5d36263d403ca60 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 22:42:20 +0200
+Subject: [PATCH] x509/pkcs12_bag: fix off-by-one in bag element bounds check
+
+Appending elements to a PKCS#12 bag had a bounds check that
+prevented adding the 32nd element.
+On the other hand, it is possible to import one that already has 32.
+Subsequent appending then led to writing past the 32-element array,
+smashing its length.
+
+Tighten the check to reject any bag with 32 or more elements.
+
+We'll treat this vulnerability as a Low due to how contrived
+the requirements are: for the code to be vulnerable,
+it needs to append to an imported untrusted unencrypted PKCS#12 structure.
+
+Reported-by: Zou Dikai
+Fixes: #1840
+Fixes: CVE-2026-42015
+Fixes: GNUTLS-SA-2026-04-29-11
+CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
+Severity: Low
+
+CVE: CVE-2026-42015
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/x509/pkcs12_bag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
+index 911aeff93..38228613c 100644
+--- a/lib/x509/pkcs12_bag.c
++++ b/lib/x509/pkcs12_bag.c
+@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag,
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+- if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) {
++ if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) {
+ gnutls_assert();
+ /* bag is full */
+ return GNUTLS_E_MEMORY_ERROR;
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 69f90a3c01..20946c1030 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-33845-pre.patch \
file://CVE-2026-33845.patch \
file://CVE-2026-3833.patch \
+ file://CVE-2026-42015.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
` (2 preceding siblings ...)
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 hsimeliere.opensource
@ 2026-05-20 8:14 ` hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
` (2 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
[1] https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701
[2] https://security-tracker.debian.org/tracker/CVE-2026-42014
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-42014.patch | 67 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
new file mode 100644
index 0000000000..ceaf05bf1e
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch
@@ -0,0 +1,67 @@
+From b48f025e58763f3975e5d65d698df27a5211bc51 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 18 Mar 2026 18:19:06 +0100
+Subject: [PATCH] pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
+
+Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
+oldpin == NULL for a token that lacks a protected authentication path
+led to a use-after-free.
+
+Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team
+Fixes: #1766
+Fixes: #1809
+Fixes: CVE-2026-42014
+Fixes: GNUTLS-SA-2026-04-29-9
+CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+
+CVE: CVE-2026-42014
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 3957f136e2ed23caf176a594b54b3827f5cef701)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/pkcs11_write.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index 961e1b9d8..9fe571ea2 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -1267,10 +1267,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ ses_flags = SESSION_WRITE | SESSION_LOGIN;
+
+ ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags);
+- p11_kit_uri_free(info);
+-
+ if (ret < 0) {
+ gnutls_assert();
++ p11_kit_uri_free(info);
+ return ret;
+ }
+
+@@ -1291,9 +1290,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ oldpin_size = L(oldpin);
+
+ if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) {
+- if (newpin == NULL)
+- return gnutls_assert_val(
++ if (newpin == NULL) {
++ ret = gnutls_assert_val(
+ GNUTLS_E_INVALID_REQUEST);
++ goto finish;
++ }
+
+ if (oldpin == NULL) {
+ struct pin_info_st pin_info;
+@@ -1325,6 +1326,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin,
+ ret = 0;
+
+ finish:
++ p11_kit_uri_free(info);
+ pkcs11_close_session(&sinfo);
+ return ret;
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 20946c1030..dc8e28c99b 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-33845.patch \
file://CVE-2026-3833.patch \
file://CVE-2026-42015.patch \
+ file://CVE-2026-42014.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
` (3 preceding siblings ...)
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 hsimeliere.opensource
@ 2026-05-20 8:14 ` hsimeliere.opensource
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patch from [1] as mentioned in Debian report in [2].
[1] https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5
[2] https://security-tracker.debian.org/tracker/CVE-2026-42010
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-42010.patch | 42 +++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch
new file mode 100644
index 0000000000..59454cefe7
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch
@@ -0,0 +1,42 @@
+From 590f730b1cd35202bb372480e6a0ac0c3d31933e Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Tue, 21 Apr 2026 19:26:10 +0200
+Subject: [PATCH] lib/auth/rsa_psk: fix binary PSK identity lookup
+
+A server looking up PSK username with a NUL-character in it
+was wrongfully matching username truncated at a NUL-character.
+Fix the check to compare up to the full username length.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1850
+Fixes: CVE-2026-42010
+Fixes: GNUTLS-SA-2026-04-29-4
+CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
+
+CVE: CVE-2026-42010
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit cb1833afd9b6309563211b1c0a7c291f52ca98d5)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/auth/rsa_psk.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 399fb4da1..a14de467a 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -321,8 +321,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ * filled in if the key is not found.
+ */
+ ret = _gnutls_psk_pwd_find_entry(session, info->username,
+- strlen(info->username), &pwd_psk,
+- NULL);
++ info->username_len, &pwd_psk, NULL);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index dc8e28c99b..0b3abb827c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -50,6 +50,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-3833.patch \
file://CVE-2026-42015.patch \
file://CVE-2026-42014.patch \
+ file://CVE-2026-42010.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
` (4 preceding siblings ...)
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 hsimeliere.opensource
@ 2026-05-20 8:14 ` hsimeliere.opensource
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
6 siblings, 0 replies; 11+ messages in thread
From: hsimeliere.opensource @ 2026-05-20 8:14 UTC (permalink / raw)
To: openembedded-core; +Cc: Hugo SIMELIERE (Schneider Electric), Bruno VERNAY
From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
Pick patches from [1] and [2] as mentioned in Debian report in [3].
[1] https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f
[2] https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683
[3] https://security-tracker.debian.org/tracker/CVE-2026-5260
Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
---
.../gnutls/gnutls/CVE-2026-5260-1.patch | 78 +++++++++++++++++++
.../gnutls/gnutls/CVE-2026-5260-2.patch | 40 ++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
3 files changed, 120 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
new file mode 100644
index 0000000000..060440e8b7
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch
@@ -0,0 +1,78 @@
+From a39a21031f9e56d31747b060f83fb49d1a77f0c5 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 30 Mar 2026 17:31:07 +0200
+Subject: [PATCH 1/2] lib/auth/rsa: check that ciphertext matches the modulus
+ size
+
+A client sending extremely short premaster secret as part of an
+RSA key exchange could've theoretically triggered a short heap overread
+to nowhere when the RSA key was backed with a PKCS#11 token.
+With this fix, the internal decryption function will not be called
+with an mismatching plaintext length specified, avoiding the overread.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1814
+Fixes: CVE-2026-5260
+Fixes: GNUTLS-SA-2026-04-29-10
+CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-5260
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 77228f2d1ac207d2f894e5a168fbb47e5378e42f)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/auth/rsa.c | 5 +++++
+ lib/auth/rsa_psk.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index b5ecc092f..24c1649be 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -158,6 +158,7 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
+ int ret, dsize;
+ ssize_t data_size = _data_size;
+ volatile uint8_t ver_maj, ver_min;
++ unsigned int key_bits;
+
+ #ifdef ENABLE_SSL3
+ if (get_num_version(session) == GNUTLS_SSL3) {
+@@ -180,6 +181,10 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data,
+ }
+ ciphertext.size = dsize;
+ }
++ gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
++ &key_bits);
++ if (ciphertext.size != (key_bits + 7) / 8)
++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+
+ ver_maj = _gnutls_get_adv_version_major(session);
+ ver_min = _gnutls_get_adv_version_minor(session);
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index a14de467a..a1da1b320 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -257,6 +257,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ ssize_t data_size = _data_size;
+ gnutls_psk_server_credentials_t cred;
+ volatile uint8_t ver_maj, ver_min;
++ unsigned int rsa_key_bits;
+
+ cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
+ session, GNUTLS_CRD_PSK);
+@@ -313,6 +314,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session,
+ return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
+ }
+ ciphertext.size = dsize;
++ gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
++ &rsa_key_bits);
++ if (ciphertext.size != (rsa_key_bits + 7) / 8)
++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
+
+ ver_maj = _gnutls_get_adv_version_major(session);
+ ver_min = _gnutls_get_adv_version_minor(session);
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch
new file mode 100644
index 0000000000..32181e45da
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch
@@ -0,0 +1,40 @@
+From 9b58b5237713d2189192aa8591b337787ee2edff Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 30 Mar 2026 17:46:40 +0200
+Subject: [PATCH 2/2] lib/pkcs11_privkey: guard against overreading on short
+ ciphertexts
+
+This is an alternative fix for the callee side.
+
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1814
+Fixes: CVE-2026-5260
+Fixes: GNUTLS-SA-2026-04-29-10
+CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+
+CVE: CVE-2026-5260
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit cf6bdc5e4df49e5583d3fb4d2296779785f10683)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
+---
+ lib/pkcs11_privkey.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
+index 5093a6d56..369b034a6 100644
+--- a/lib/pkcs11_privkey.c
++++ b/lib/pkcs11_privkey.c
+@@ -826,7 +826,7 @@ int _gnutls_pkcs11_privkey_decrypt_data2(gnutls_pkcs11_privkey_t key,
+ if (ret != 0)
+ return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
+
+- buffer = gnutls_malloc(siglen);
++ buffer = gnutls_malloc(MAX((size_t)siglen, plaintext_size));
+ if (!buffer) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+--
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 0b3abb827c..a4a6a5fe21 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -51,6 +51,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2026-42015.patch \
file://CVE-2026-42014.patch \
file://CVE-2026-42010.patch \
+ file://CVE-2026-5260-1.patch \
+ file://CVE-2026-5260-2.patch \
"
SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
2.43.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
2026-05-20 8:13 [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 hsimeliere.opensource
` (5 preceding siblings ...)
2026-05-20 8:14 ` [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 hsimeliere.opensource
@ 2026-06-04 8:57 ` Yoann Congal
2026-06-04 20:10 ` Yoann Congal
2026-06-05 8:45 ` Yoann Congal
6 siblings, 2 replies; 11+ messages in thread
From: Yoann Congal @ 2026-06-04 8:57 UTC (permalink / raw)
To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY
On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>
> Pick patch from [1] as mentioned in Debian report in [2].
> Pick pre-patch [3] to minimize conflicts.
>
> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>
> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
> ---
> .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++
> .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++
> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
> 3 files changed, 166 insertions(+)
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> new file mode 100644
> index 0000000000..71266cb338
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> @@ -0,0 +1,97 @@
> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Fri, 17 Apr 2026 17:49:31 +0200
> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
As far as I can tell this patch is only cosmetic and I'd rather not
merge it unless you have a compeling reason.
To apply CVE-2026-33846.patch, it looks like you will need to change it
to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
Regards,
> +
> +I had vague concerns about thread-safety of this,
> +but then this pattern already exists within the file.
> +
> +CVE: CVE-2026-33846
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> +---
> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
> + 1 file changed, 17 insertions(+), 35 deletions(-)
> +
> +diff --git a/lib/buffers.c b/lib/buffers.c
> +index 672380b05..d54c77022 100644
> +--- a/lib/buffers.c
> ++++ b/lib/buffers.c
> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
> + int exists = 0, i, pos = 0;
> + int ret;
> +
> ++ handshake_buffer_st *recv_buf =
> ++ session->internals.handshake_recv_buffer;
> ++
> + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
> +- if (session->internals.handshake_recv_buffer[i].htype ==
> +- hsk->htype) {
> ++ if (recv_buf[i].htype == hsk->htype) {
> + exists = 1;
> + pos = i;
> + break;
> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
> + _gnutls_write_uint24(0, &hsk->header[6]);
> + _gnutls_write_uint24(hsk->length, &hsk->header[9]);
> +
> +- _gnutls_handshake_buffer_move(
> +- &session->internals.handshake_recv_buffer[pos], hsk);
> ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> +
> + } else {
> +- if (hsk->start_offset <
> +- session->internals.handshake_recv_buffer[pos]
> +- .start_offset &&
> +- hsk->end_offset + 1 >=
> +- session->internals.handshake_recv_buffer[pos]
> +- .start_offset) {
> +- memcpy(&session->internals.handshake_recv_buffer[pos]
> +- .data.data[hsk->start_offset],
> ++ if (hsk->start_offset < recv_buf[pos].start_offset &&
> ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> + hsk->data.data, hsk->data.length);
> +- session->internals.handshake_recv_buffer[pos]
> +- .start_offset = hsk->start_offset;
> +- session->internals.handshake_recv_buffer[pos]
> +- .end_offset = MIN(
> +- hsk->end_offset,
> +- session->internals.handshake_recv_buffer[pos]
> +- .end_offset);
> +- } else if (hsk->end_offset >
> +- session->internals.handshake_recv_buffer[pos]
> +- .end_offset &&
> +- hsk->start_offset <=
> +- session->internals.handshake_recv_buffer[pos]
> +- .end_offset +
> +- 1) {
> +- memcpy(&session->internals.handshake_recv_buffer[pos]
> +- .data.data[hsk->start_offset],
> ++ recv_buf[pos].start_offset = hsk->start_offset;
> ++ recv_buf[pos].end_offset =
> ++ MIN(hsk->end_offset, recv_buf[pos].end_offset);
> ++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
> ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) {
> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> + hsk->data.data, hsk->data.length);
> +
> +- session->internals.handshake_recv_buffer[pos]
> +- .end_offset = hsk->end_offset;
> +- session->internals.handshake_recv_buffer[pos]
> +- .start_offset = MIN(
> +- hsk->start_offset,
> +- session->internals.handshake_recv_buffer[pos]
> +- .start_offset);
> ++ recv_buf[pos].end_offset = hsk->end_offset;
> ++ recv_buf[pos].start_offset = MIN(
> ++ hsk->start_offset, recv_buf[pos].start_offset);
> + }
> + _gnutls_handshake_buffer_clear(hsk);
> + }
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> new file mode 100644
> index 0000000000..e7d5cc6c2b
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> @@ -0,0 +1,67 @@
> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Fri, 17 Apr 2026 18:21:36 +0200
> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
> +
> +Previously, gnutls didn't check that DTLS fragments claimed
> +a consistent message_length value.
> +Additionally, a crucial array size check was missing,
> +enabling an attacker to cause a heap overwrite.
> +The updated version rejects fragments with mismatching length
> +and adds a missing boundary check.
> +
> +Reported-by: Haruto Kimura (Stella)
> +Reported-by: Oscar Reparaz
> +Reported-by: Zou Dikai
> +Fixes: #1816
> +Fixes: #1838
> +Fixes: #1839
> +Fixes: CVE-2026-33846
> +Fixes: GNUTLS-SA-2026-04-29-1
> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> +
> +CVE: CVE-2026-33846
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
> +---
> + lib/buffers.c | 20 ++++++++++++++++++++
> + 1 file changed, 20 insertions(+)
> +
> +diff --git a/lib/buffers.c b/lib/buffers.c
> +index d54c77022..5d4d16276 100644
> +--- a/lib/buffers.c
> ++++ b/lib/buffers.c
> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
> + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> +
> + } else {
> ++ if (hsk->length != recv_buf[pos].length) {
> ++ /* inconsistent across fragments */
> ++ _gnutls_handshake_buffer_clear(hsk);
> ++ return gnutls_assert_val(
> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++ }
> ++ /* start_offset + data.length <= hsk->length <= max_length */
> ++ if (hsk->length < hsk->start_offset + hsk->data.length) {
> ++ /* impossible claims, overflow requested */
> ++ _gnutls_handshake_buffer_clear(hsk);
> ++ return gnutls_assert_val(
> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++ }
> ++ if (hsk->length > recv_buf[pos].data.max_length) {
> ++ /* we don't have this much allocated, overflow guard */
> ++ _gnutls_handshake_buffer_clear(hsk);
> ++ return gnutls_assert_val(
> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> ++ }
> ++
> + if (hsk->start_offset < recv_buf[pos].start_offset &&
> + hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> + memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> +--
> +2.43.0
> +
> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> index ccb6a2b4b2..e40a654a8e 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
> file://CVE-2025-14831-7.patch \
> file://CVE-2025-14831-8.patch \
> file://CVE-2025-14831-9.patch \
> + file://CVE-2026-33846-pre.patch \
> + file://CVE-2026-33846.patch \
> "
>
> SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
@ 2026-06-04 20:10 ` Yoann Congal
2026-07-06 10:48 ` Yoann Congal
2026-06-05 8:45 ` Yoann Congal
1 sibling, 1 reply; 11+ messages in thread
From: Yoann Congal @ 2026-06-04 20:10 UTC (permalink / raw)
To: Yoann Congal, hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY
On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>
>> Pick patch from [1] as mentioned in Debian report in [2].
>> Pick pre-patch [3] to minimize conflicts.
>>
>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
Hello (again),
This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
So, this patch (as well as at least 2/7, I have not checked the others) must
be sent to wrynose before I can accept them on scarthgap. Can you do
that and ping back here when it's done?
Thanks!
>> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
>> [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
>>
>> Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
>> ---
>> .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++
>> .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++
>> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
>> 3 files changed, 166 insertions(+)
>> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>>
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> new file mode 100644
>> index 0000000000..71266cb338
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
>> @@ -0,0 +1,97 @@
>> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 17:49:31 +0200
>> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>
> Regards,
>
>> +
>> +I had vague concerns about thread-safety of this,
>> +but then this pattern already exists within the file.
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 52 +++++++++++++++++----------------------------------
>> + 1 file changed, 17 insertions(+), 35 deletions(-)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index 672380b05..d54c77022 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + int exists = 0, i, pos = 0;
>> + int ret;
>> +
>> ++ handshake_buffer_st *recv_buf =
>> ++ session->internals.handshake_recv_buffer;
>> ++
>> + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
>> +- if (session->internals.handshake_recv_buffer[i].htype ==
>> +- hsk->htype) {
>> ++ if (recv_buf[i].htype == hsk->htype) {
>> + exists = 1;
>> + pos = i;
>> + break;
>> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + _gnutls_write_uint24(0, &hsk->header[6]);
>> + _gnutls_write_uint24(hsk->length, &hsk->header[9]);
>> +
>> +- _gnutls_handshake_buffer_move(
>> +- &session->internals.handshake_recv_buffer[pos], hsk);
>> ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> +
>> + } else {
>> +- if (hsk->start_offset <
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset &&
>> +- hsk->end_offset + 1 >=
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset) {
>> +- memcpy(&session->internals.handshake_recv_buffer[pos]
>> +- .data.data[hsk->start_offset],
>> ++ if (hsk->start_offset < recv_buf[pos].start_offset &&
>> ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + hsk->data.data, hsk->data.length);
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset = hsk->start_offset;
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset = MIN(
>> +- hsk->end_offset,
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset);
>> +- } else if (hsk->end_offset >
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset &&
>> +- hsk->start_offset <=
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset +
>> +- 1) {
>> +- memcpy(&session->internals.handshake_recv_buffer[pos]
>> +- .data.data[hsk->start_offset],
>> ++ recv_buf[pos].start_offset = hsk->start_offset;
>> ++ recv_buf[pos].end_offset =
>> ++ MIN(hsk->end_offset, recv_buf[pos].end_offset);
>> ++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
>> ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) {
>> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> + hsk->data.data, hsk->data.length);
>> +
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .end_offset = hsk->end_offset;
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset = MIN(
>> +- hsk->start_offset,
>> +- session->internals.handshake_recv_buffer[pos]
>> +- .start_offset);
>> ++ recv_buf[pos].end_offset = hsk->end_offset;
>> ++ recv_buf[pos].start_offset = MIN(
>> ++ hsk->start_offset, recv_buf[pos].start_offset);
>> + }
>> + _gnutls_handshake_buffer_clear(hsk);
>> + }
>> +--
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> new file mode 100644
>> index 0000000000..e7d5cc6c2b
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
>> @@ -0,0 +1,67 @@
>> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
>> +From: Alexander Sosedkin <asosedkin@redhat.com>
>> +Date: Fri, 17 Apr 2026 18:21:36 +0200
>> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
>> +
>> +Previously, gnutls didn't check that DTLS fragments claimed
>> +a consistent message_length value.
>> +Additionally, a crucial array size check was missing,
>> +enabling an attacker to cause a heap overwrite.
>> +The updated version rejects fragments with mismatching length
>> +and adds a missing boundary check.
>> +
>> +Reported-by: Haruto Kimura (Stella)
>> +Reported-by: Oscar Reparaz
>> +Reported-by: Zou Dikai
>> +Fixes: #1816
>> +Fixes: #1838
>> +Fixes: #1839
>> +Fixes: CVE-2026-33846
>> +Fixes: GNUTLS-SA-2026-04-29-1
>> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
>> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>> +
>> +CVE: CVE-2026-33846
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
>> +
>> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
>> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
>> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <hsimeliere.opensource@witekio.com>
>> +---
>> + lib/buffers.c | 20 ++++++++++++++++++++
>> + 1 file changed, 20 insertions(+)
>> +
>> +diff --git a/lib/buffers.c b/lib/buffers.c
>> +index d54c77022..5d4d16276 100644
>> +--- a/lib/buffers.c
>> ++++ b/lib/buffers.c
>> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
>> + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
>> +
>> + } else {
>> ++ if (hsk->length != recv_buf[pos].length) {
>> ++ /* inconsistent across fragments */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++ /* start_offset + data.length <= hsk->length <= max_length */
>> ++ if (hsk->length < hsk->start_offset + hsk->data.length) {
>> ++ /* impossible claims, overflow requested */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++ if (hsk->length > recv_buf[pos].data.max_length) {
>> ++ /* we don't have this much allocated, overflow guard */
>> ++ _gnutls_handshake_buffer_clear(hsk);
>> ++ return gnutls_assert_val(
>> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
>> ++ }
>> ++
>> + if (hsk->start_offset < recv_buf[pos].start_offset &&
>> + hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
>> + memcpy(&recv_buf[pos].data.data[hsk->start_offset],
>> +--
>> +2.43.0
>> +
>> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> index ccb6a2b4b2..e40a654a8e 100644
>> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
>> @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>> file://CVE-2025-14831-7.patch \
>> file://CVE-2025-14831-8.patch \
>> file://CVE-2025-14831-9.patch \
>> + file://CVE-2026-33846-pre.patch \
>> + file://CVE-2026-33846.patch \
>> "
>>
>> SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
2026-06-04 20:10 ` Yoann Congal
@ 2026-07-06 10:48 ` Yoann Congal
0 siblings, 0 replies; 11+ messages in thread
From: Yoann Congal @ 2026-07-06 10:48 UTC (permalink / raw)
To: Yoann Congal, hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY
On Thu Jun 4, 2026 at 10:10 PM CEST, Yoann Congal wrote:
> On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote:
>> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote:
>>> From: "Hugo SIMELIERE (Schneider Electric)" <hsimeliere.opensource@witekio.com>
>>>
>>> Pick patch from [1] as mentioned in Debian report in [2].
>>> Pick pre-patch [3] to minimize conflicts.
>>>
>>> [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
>
> Hello (again),
>
> This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on
> wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it.
> So, this patch (as well as at least 2/7, I have not checked the others) must
> be sent to wrynose before I can accept them on scarthgap. Can you do
> that and ping back here when it's done?
Hello,
I will now drop this series. If the above situation changes, please send
a new patch.
Regards,
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846
2026-06-04 8:57 ` [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Yoann Congal
2026-06-04 20:10 ` Yoann Congal
@ 2026-06-05 8:45 ` Yoann Congal
1 sibling, 0 replies; 11+ messages in thread
From: Yoann Congal @ 2026-06-05 8:45 UTC (permalink / raw)
To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY
[-- Attachment #1: Type: text/plain, Size: 11588 bytes --]
Le jeu. 4 juin 2026 à 10:57, Yoann Congal <yoann.congal@smile.fr> a écrit :
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via
> lists.openembedded.org wrote:
> > From: "Hugo SIMELIERE (Schneider Electric)" <
> hsimeliere.opensource@witekio.com>
> >
> > Pick patch from [1] as mentioned in Debian report in [2].
> > Pick pre-patch [3] to minimize conflicts.
> >
> > [1]
> https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> > [2] https://security-tracker.debian.org/tracker/CVE-2026-33846
> > [3]
> https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
> >
> > Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > Reviewed-by: Bruno VERNAY <bruno.vernay@se.com>
> > ---
> > .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++
> > .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++
> > meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 +
> > 3 files changed, 166 insertions(+)
> > create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> > create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> >
> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> > new file mode 100644
> > index 0000000000..71266cb338
> > --- /dev/null
> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch
> > @@ -0,0 +1,97 @@
> > +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001
> > +From: Alexander Sosedkin <asosedkin@redhat.com>
> > +Date: Fri, 17 Apr 2026 17:49:31 +0200
> > +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using
> recv_buf
>
> As far as I can tell this patch is only cosmetic and I'd rather not
> merge it unless you have a compeling reason.
>
> To apply CVE-2026-33846.patch, it looks like you will need to change it
> to use "session->internals.handshake_recv_buffer" instead of "recv_buf".
>
Hello,
Actually, scratch that. I've discussed it with Paul. In this case, the
review will be easier with the cosmetic "-pre" patches.
So, don't change that. Sorry for the noise.
Regards,
>
> Regards,
>
> > +
> > +I had vague concerns about thread-safety of this,
> > +but then this pattern already exists within the file.
> > +
> > +CVE: CVE-2026-33846
> > +Upstream-Status: Backport [
> https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0
> ]
> > +
> > +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> > +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0)
> > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > +---
> > + lib/buffers.c | 52 +++++++++++++++++----------------------------------
> > + 1 file changed, 17 insertions(+), 35 deletions(-)
> > +
> > +diff --git a/lib/buffers.c b/lib/buffers.c
> > +index 672380b05..d54c77022 100644
> > +--- a/lib/buffers.c
> > ++++ b/lib/buffers.c
> > +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t
> session,
> > + int exists = 0, i, pos = 0;
> > + int ret;
> > +
> > ++ handshake_buffer_st *recv_buf =
> > ++ session->internals.handshake_recv_buffer;
> > ++
> > + for (i = 0; i < session->internals.handshake_recv_buffer_size;
> i++) {
> > +- if (session->internals.handshake_recv_buffer[i].htype ==
> > +- hsk->htype) {
> > ++ if (recv_buf[i].htype == hsk->htype) {
> > + exists = 1;
> > + pos = i;
> > + break;
> > +@@ -1005,44 +1007,24 @@ static int
> merge_handshake_packet(gnutls_session_t session,
> > + _gnutls_write_uint24(0, &hsk->header[6]);
> > + _gnutls_write_uint24(hsk->length, &hsk->header[9]);
> > +
> > +- _gnutls_handshake_buffer_move(
> > +- &session->internals.handshake_recv_buffer[pos],
> hsk);
> > ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> > +
> > + } else {
> > +- if (hsk->start_offset <
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .start_offset &&
> > +- hsk->end_offset + 1 >=
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .start_offset) {
> > +-
> memcpy(&session->internals.handshake_recv_buffer[pos]
> > +- .data.data[hsk->start_offset],
> > ++ if (hsk->start_offset < recv_buf[pos].start_offset &&
> > ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > + hsk->data.data, hsk->data.length);
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .start_offset = hsk->start_offset;
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .end_offset = MIN(
> > +- hsk->end_offset,
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +- .end_offset);
> > +- } else if (hsk->end_offset >
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +- .end_offset &&
> > +- hsk->start_offset <=
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +- .end_offset +
> > +- 1) {
> > +-
> memcpy(&session->internals.handshake_recv_buffer[pos]
> > +- .data.data[hsk->start_offset],
> > ++ recv_buf[pos].start_offset = hsk->start_offset;
> > ++ recv_buf[pos].end_offset =
> > ++ MIN(hsk->end_offset,
> recv_buf[pos].end_offset);
> > ++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
> > ++ hsk->start_offset <= recv_buf[pos].end_offset +
> 1) {
> > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > + hsk->data.data, hsk->data.length);
> > +
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .end_offset = hsk->end_offset;
> > +- session->internals.handshake_recv_buffer[pos]
> > +- .start_offset = MIN(
> > +- hsk->start_offset,
> > +-
> session->internals.handshake_recv_buffer[pos]
> > +- .start_offset);
> > ++ recv_buf[pos].end_offset = hsk->end_offset;
> > ++ recv_buf[pos].start_offset = MIN(
> > ++ hsk->start_offset,
> recv_buf[pos].start_offset);
> > + }
> > + _gnutls_handshake_buffer_clear(hsk);
> > + }
> > +--
> > +2.43.0
> > +
> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> > new file mode 100644
> > index 0000000000..e7d5cc6c2b
> > --- /dev/null
> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch
> > @@ -0,0 +1,67 @@
> > +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001
> > +From: Alexander Sosedkin <asosedkin@redhat.com>
> > +Date: Fri, 17 Apr 2026 18:21:36 +0200
> > +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly
> > +
> > +Previously, gnutls didn't check that DTLS fragments claimed
> > +a consistent message_length value.
> > +Additionally, a crucial array size check was missing,
> > +enabling an attacker to cause a heap overwrite.
> > +The updated version rejects fragments with mismatching length
> > +and adds a missing boundary check.
> > +
> > +Reported-by: Haruto Kimura (Stella)
> > +Reported-by: Oscar Reparaz
> > +Reported-by: Zou Dikai
> > +Fixes: #1816
> > +Fixes: #1838
> > +Fixes: #1839
> > +Fixes: CVE-2026-33846
> > +Fixes: GNUTLS-SA-2026-04-29-1
> > +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
> > +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> > +
> > +CVE: CVE-2026-33846
> > +Upstream-Status: Backport [
> https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
> ]
> > +
> > +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> > +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78)
> > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <
> hsimeliere.opensource@witekio.com>
> > +---
> > + lib/buffers.c | 20 ++++++++++++++++++++
> > + 1 file changed, 20 insertions(+)
> > +
> > +diff --git a/lib/buffers.c b/lib/buffers.c
> > +index d54c77022..5d4d16276 100644
> > +--- a/lib/buffers.c
> > ++++ b/lib/buffers.c
> > +@@ -1010,6 +1010,26 @@ static int
> merge_handshake_packet(gnutls_session_t session,
> > + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
> > +
> > + } else {
> > ++ if (hsk->length != recv_buf[pos].length) {
> > ++ /* inconsistent across fragments */
> > ++ _gnutls_handshake_buffer_clear(hsk);
> > ++ return gnutls_assert_val(
> > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++ }
> > ++ /* start_offset + data.length <= hsk->length <= max_length
> */
> > ++ if (hsk->length < hsk->start_offset + hsk->data.length) {
> > ++ /* impossible claims, overflow requested */
> > ++ _gnutls_handshake_buffer_clear(hsk);
> > ++ return gnutls_assert_val(
> > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++ }
> > ++ if (hsk->length > recv_buf[pos].data.max_length) {
> > ++ /* we don't have this much allocated, overflow
> guard */
> > ++ _gnutls_handshake_buffer_clear(hsk);
> > ++ return gnutls_assert_val(
> > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
> > ++ }
> > ++
> > + if (hsk->start_offset < recv_buf[pos].start_offset &&
> > + hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
> > + memcpy(&recv_buf[pos].data.data[hsk->start_offset],
> > +--
> > +2.43.0
> > +
> > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > index ccb6a2b4b2..e40a654a8e 100644
> > --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> > @@ -43,6 +43,8 @@ SRC_URI = "
> https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
> > file://CVE-2025-14831-7.patch \
> > file://CVE-2025-14831-8.patch \
> > file://CVE-2025-14831-9.patch \
> > + file://CVE-2026-33846-pre.patch \
> > + file://CVE-2026-33846.patch \
> > "
> >
> > SRC_URI[sha256sum] =
> "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
>
>
> --
> Yoann Congal
> Smile ECS
>
>
--
Yoann Congal
Smile ECS
[-- Attachment #2: Type: text/html, Size: 16622 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread