[kirkstone] libtasn1: fix CVE-2024-12133

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-12133:
A flaw in libtasn1 causes inefficient handling of specific certificate data.
When processing a large number of elements in a certificate, libtasn1 takes
much longer than expected, which can slow down or even crash the system.
This flaw allows an attacker to send a specially crafted certificate,
causing a denial of service attack.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-12133]

Upstream patches:
[https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a]
[https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../gnutls/libtasn1/CVE-2024-12133-0001.patch |  43 ++++
 .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235 ++++++++++++++++++
 .../recipes-support/gnutls/libtasn1_4.19.0.bb |   2 +
 3 files changed, 280 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
 create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/kirkstone-libtasn1-fix-CVE-2024-12133.patch

FAIL: test shortlog format: Commit shortlog (first line of commit message) should follow the format "<target>: <summary>" (test_mbox.TestMbox.test_shortlog_format)
FAIL: test shortlog length: Edit shortlog so that it is 90 characters or less (currently 101 characters) (test_mbox.TestMbox.test_shortlog_length)

PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

Hi,

Le ven. 7 mars 2025 à 11:46, Patchtest via lists.openembedded.org
<patchtest=automation.yoctoproject.org@lists.openembedded.org> a écrit
:
>
> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
>
> ---
> Testing patch /home/patchtest/share/mboxes/kirkstone-libtasn1-fix-CVE-2024-12133.patch
>
> FAIL: test shortlog format: Commit shortlog (first line of commit message) should follow the format "<target>: <summary>" (test_mbox.TestMbox.test_shortlog_format)
> FAIL: test shortlog length: Edit shortlog so that it is 90 characters or less (currently 101 characters) (test_mbox.TestMbox.test_shortlog_length)

That look like a false positive from patchtest. Maybe caused by the
space in the "[PATCH ]" tag?
CC'ing Trevor.

> PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
> PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
> PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
> PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
> PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
> PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
> PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
> PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
> PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
>
> SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
> SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
> SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
> SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
> SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
>
> ---
>
> Please address the issues identified and
> submit a new revision of the patch, or alternatively, reply to this
> email with an explanation of why the patch should be accepted. If you
> believe these results are due to an error in patchtest, please submit a
> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
> under 'Yocto Project Subprojects'). For more information on specific
> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
> you!
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212429): https://lists.openembedded.org/g/openembedded-core/message/212429
> Mute This Topic: https://lists.openembedded.org/mt/111565411/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Hi Zhang Peng,

Updating libtasn1 to 4.20.0 from 4.19.0 will fix the CVE-2024-12133.

Upgrade patch was already sent and now it is in the master branch .

https://git.openembedded.org/openembedded-core/commit/?id=3a8633b9f522e0be31c08790a3f2050c6d052d93

https://lists.openembedded.org/g/openembedded-core/message/212059

Later it will merged to scarthgap and kirkstone branches.

Thanks & Regards,
Vijay






On Fri, Mar 7, 2025 at 4:10 PM Zhang, Peng (Paul) (CN) via
lists.openembedded.org <peng.zhang1.cn=windriver.com@lists.openembedded.org>
wrote:

> From: Zhang Peng <peng.zhang1.cn@windriver.com>
>
> CVE-2024-12133:
> A flaw in libtasn1 causes inefficient handling of specific certificate
> data.
> When processing a large number of elements in a certificate, libtasn1 takes
> much longer than expected, which can slow down or even crash the system.
> This flaw allows an attacker to send a specially crafted certificate,
> causing a denial of service attack.
>
> Reference:
> [https://nvd.nist.gov/vuln/detail/CVE-2024-12133]
>
> Upstream patches:
> [
> https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
> ]
> [
> https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
> ]
>
> Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> ---
>  .../gnutls/libtasn1/CVE-2024-12133-0001.patch |  43 ++++
>  .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235 ++++++++++++++++++
>  .../recipes-support/gnutls/libtasn1_4.19.0.bb |   2 +
>  3 files changed, 280 insertions(+)
>  create mode 100644
> meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>  create mode 100644
> meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>
> diff --git
> a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> new file mode 100644
> index 0000000000..d843b6dc92
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> @@ -0,0 +1,43 @@
> +From 4082ca2220b5ba910b546afddf7780fc4a51f75a Mon Sep 17 00:00:00 2001
> +From: Daiki Ueno <ueno@gnu.org>
> +Date: Sat, 19 Oct 2024 02:47:04 +0900
> +Subject: [PATCH] asn1_der_decoding2: optimize _asn1_find_up call with node
> + cache
> +
> +If we are parsing a sequence or set and the current node is a direct
> +child of it, there is no need to traverse the list back to the
> +leftmost one as we have a node cache.
> +
> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
> +
> +CVE: CVE-2024-12133
> +Upstream-Status: Backport [
> https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
> ]
> +
> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> +---
> + lib/decoding.c | 9 ++++++++-
> + 1 file changed, 8 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/decoding.c b/lib/decoding.c
> +index d2f6dea..1e0fcb3 100644
> +--- a/lib/decoding.c
> ++++ b/lib/decoding.c
> +@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node *element, const void
> *ider, int *max_ider_len,
> +           move = UP;
> +       }
> +       if (move == UP)
> +-      p = _asn1_find_up (p);
> ++      {
> ++        /* If we are parsing a sequence or set and p is a direct
> ++           child of it, no need to traverse the list back to the
> leftmost node. */
> ++        if (tcache.tail == p)
> ++          p = tcache.head;
> ++        else
> ++          p = _asn1_find_up (p);
> ++      }
> +     }
> +
> +   _asn1_delete_not_used (*element);
> +--
> +GitLab
> diff --git
> a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> new file mode 100644
> index 0000000000..a3a6af2920
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> @@ -0,0 +1,235 @@
> +From 869a97aa259dffa2620dabcad84e1c22545ffc3d Mon Sep 17 00:00:00 2001
> +From: Daiki Ueno <ueno@gnu.org>
> +Date: Fri, 8 Nov 2024 16:05:32 +0900
> +Subject: [PATCH] asn1_find_node: optimize "?NUMBER" node lookup with
> indexing
> +
> +To avoid linear search of named nodes, this adds a array of child
> +nodes to their parent nodes as a cache.
> +
> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
> +
> +CVE: CVE-2024-12133
> +Upstream-Status: Backport [
> https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
> ]
> +
> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> +---
> + lib/element.c    | 56 ++++++++++++++++++++++++++++++++++++++++++------
> + lib/element.h    | 10 +++++++++
> + lib/int.h        |  8 +++++++
> + lib/parser_aux.c | 10 +++++++++
> + lib/structure.c  | 13 +++++++++++
> + 5 files changed, 90 insertions(+), 7 deletions(-)
> +
> +diff --git a/lib/element.c b/lib/element.c
> +index 850bef4a..528df418 100644
> +--- a/lib/element.c
> ++++ b/lib/element.c
> +@@ -33,6 +33,8 @@
> + #include "structure.h"
> + #include "c-ctype.h"
> + #include "element.h"
> ++#include <limits.h>
> ++#include "intprops.h"
> +
> + void
> + _asn1_hierarchical_name (asn1_node_const node, char *name, int name_size)
> +@@ -129,6 +131,41 @@ _asn1_convert_integer (const unsigned char *value,
> unsigned char *value_out,
> +   return ASN1_SUCCESS;
> + }
> +
> ++int
> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
> ++                    asn1_node node)
> ++{
> ++  if (position >= array->size)
> ++    {
> ++      size_t new_size = position, i;
> ++      asn1_node *new_nodes;
> ++
> ++      if (INT_MULTIPLY_OVERFLOW (new_size, 2))
> ++      return ASN1_GENERIC_ERROR;
> ++      new_size *= 2;
> ++
> ++      if (INT_ADD_OVERFLOW (new_size, 1))
> ++      return ASN1_GENERIC_ERROR;
> ++      new_size += 1;
> ++
> ++      if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes)))
> ++      return ASN1_GENERIC_ERROR;
> ++
> ++      new_nodes = realloc (array->nodes, new_size * sizeof (*new_nodes));
> ++      if (!new_nodes)
> ++      return ASN1_MEM_ALLOC_ERROR;
> ++
> ++      for (i = array->size; i < new_size; i++)
> ++      new_nodes[i] = NULL;
> ++
> ++      array->nodes = new_nodes;
> ++      array->size = new_size;
> ++    }
> ++
> ++  array->nodes[position] = node;
> ++  return ASN1_SUCCESS;
> ++}
> ++
> + /* Appends a new element into the sequence (or set) defined by this
> +  * node. The new element will have a name of '?number', where number
> +  * is a monotonically increased serial number.
> +@@ -145,6 +182,7 @@ _asn1_append_sequence_set (asn1_node node, struct
> node_tail_cache_st *pcache)
> +   asn1_node p, p2;
> +   char temp[LTOSTR_MAX_SIZE + 1];
> +   long n;
> ++  int result;
> +
> +   if (!node || !(node->down))
> +     return ASN1_GENERIC_ERROR;
> +@@ -177,17 +215,21 @@ _asn1_append_sequence_set (asn1_node node, struct
> node_tail_cache_st *pcache)
> +       pcache->tail = p2;
> +     }
> +
> +-  if (p->name[0] == 0)
> +-    _asn1_str_cpy (temp, sizeof (temp), "?1");
> +-  else
> ++  n = 0;
> ++  if (p->name[0] != 0)
> +     {
> +-      n = strtol (p->name + 1, NULL, 0);
> +-      n++;
> +-      temp[0] = '?';
> +-      _asn1_ltostr (n, temp + 1);
> ++      n = strtol (p->name + 1, NULL, 10);
> ++      if (n <= 0 || n >= LONG_MAX - 1)
> ++      return ASN1_GENERIC_ERROR;
> +     }
> ++  temp[0] = '?';
> ++  _asn1_ltostr (n + 1, temp + 1);
> +   _asn1_set_name (p2, temp);
> +   /*  p2->type |= CONST_OPTION; */
> ++  result = _asn1_node_array_set (&node->numbered_children, n, p2);
> ++  if (result != ASN1_SUCCESS)
> ++    return result;
> ++  p2->parent = node;
> +
> +   return ASN1_SUCCESS;
> + }
> +diff --git a/lib/element.h b/lib/element.h
> +index 732054e9..b84e3a27 100644
> +--- a/lib/element.h
> ++++ b/lib/element.h
> +@@ -38,4 +38,14 @@ int _asn1_convert_integer (const unsigned char *value,
> + void _asn1_hierarchical_name (asn1_node_const node, char *name,
> +                             int name_size);
> +
> ++static inline asn1_node_const
> ++_asn1_node_array_get (const struct asn1_node_array_st *array, size_t
> position)
> ++{
> ++  return position < array->size ? array->nodes[position] : NULL;
> ++}
> ++
> ++int
> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
> ++                    asn1_node node);
> ++
> + #endif
> +diff --git a/lib/int.h b/lib/int.h
> +index 4f2d98d1..41b12b0b 100644
> +--- a/lib/int.h
> ++++ b/lib/int.h
> +@@ -31,6 +31,12 @@
> +
> + # define ASN1_SMALL_VALUE_SIZE 16
> +
> ++struct asn1_node_array_st
> ++{
> ++  asn1_node *nodes;
> ++  size_t size;
> ++};
> ++
> + /* This structure is also in libtasn1.h, but then contains less
> +    fields.  You cannot make any modifications to these first fields
> +    without breaking ABI.  */
> +@@ -47,6 +53,8 @@ struct asn1_node_st
> +   asn1_node left;             /* Pointer to the next list element */
> +   /* private fields: */
> +   unsigned char small_value[ASN1_SMALL_VALUE_SIZE];   /* For small
> values */
> ++  asn1_node parent;           /* Pointer to the parent node */
> ++  struct asn1_node_array_st numbered_children; /* Array of unnamed child
> nodes for caching */
> +
> +   /* values used during decoding/coding */
> +   int tmp_ival;
> +diff --git a/lib/parser_aux.c b/lib/parser_aux.c
> +index 415905a0..4281cc97 100644
> +--- a/lib/parser_aux.c
> ++++ b/lib/parser_aux.c
> +@@ -126,6 +126,7 @@ asn1_find_node (asn1_node_const pointer, const char
> *name)
> +   const char *n_start;
> +   unsigned int nsize;
> +   unsigned int nhash;
> ++  const struct asn1_node_array_st *numbered_children;
> +
> +   if (pointer == NULL)
> +     return NULL;
> +@@ -209,6 +210,7 @@ asn1_find_node (asn1_node_const pointer, const char
> *name)
> +       if (p->down == NULL)
> +       return NULL;
> +
> ++      numbered_children = &p->numbered_children;
> +       p = p->down;
> +       if (p == NULL)
> +       return NULL;
> +@@ -222,6 +224,12 @@ asn1_find_node (asn1_node_const pointer, const char
> *name)
> +       }
> +       else
> +       {                       /* no "?LAST" */
> ++        if (n[0] == '?' && c_isdigit (n[1]))
> ++          {
> ++            long position = strtol (n + 1, NULL, 10);
> ++            if (position > 0 && position < LONG_MAX)
> ++              p = _asn1_node_array_get (numbered_children, position - 1);
> ++          }
> +         while (p)
> +           {
> +             if (p->name_hash == nhash && !strcmp (p->name, n))
> +@@ -509,6 +517,8 @@ _asn1_remove_node (asn1_node node, unsigned int flags)
> +       if (node->value != node->small_value)
> +       free (node->value);
> +     }
> ++
> ++  free (node->numbered_children.nodes);
> +   free (node);
> + }
> +
> +diff --git a/lib/structure.c b/lib/structure.c
> +index 9c95b9e2..32692ad2 100644
> +--- a/lib/structure.c
> ++++ b/lib/structure.c
> +@@ -31,6 +31,9 @@
> + #include <structure.h>
> + #include "parser_aux.h"
> + #include <gstr.h>
> ++#include "c-ctype.h"
> ++#include "element.h"
> ++#include <limits.h>
> +
> +
> + extern char _asn1_identifierMissing[];
> +@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure, const char
> *element_name)
> +   if (source_node == NULL)
> +     return ASN1_ELEMENT_NOT_FOUND;
> +
> ++  if (source_node->parent
> ++      && source_node->name[0] == '?'
> ++      && c_isdigit (source_node->name[1]))
> ++    {
> ++      long position = strtol (source_node->name + 1, NULL, 10);
> ++      if (position > 0 && position < LONG_MAX)
> ++      _asn1_node_array_set (&source_node->parent->numbered_children,
> ++                            position - 1, NULL);
> ++    }
> ++
> +   p2 = source_node->right;
> +   p3 = _asn1_find_left (source_node);
> +   if (!p3)
> +--
> +GitLab
> diff --git a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> index 5fb8b54c06..d5bc1e408e 100644
> --- a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> +++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
> "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
>
>  SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
>             file://dont-depend-on-help2man.patch \
> +           file://CVE-2024-12133-0001.patch \
> +           file://CVE-2024-12133-0002.patch \
>             "
>
>  DEPENDS = "bison-native"
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212428):
> https://lists.openembedded.org/g/openembedded-core/message/212428
> Mute This Topic: https://lists.openembedded.org/mt/111565382/7301997
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> vanusuri@mvista.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

On 2025-03-07 11:56, Yoann Congal wrote:
> Hi,
>
> Le ven. 7 mars 2025 à 11:46, Patchtest via lists.openembedded.org
> <patchtest=automation.yoctoproject.org@lists.openembedded.org> a écrit
> :
>> Thank you for your submission. Patchtest identified one
>> or more issues with the patch. Please see the log below for
>> more information:
>>
>> ---
>> Testing patch /home/patchtest/share/mboxes/kirkstone-libtasn1-fix-CVE-2024-12133.patch
>>
>> FAIL: test shortlog format: Commit shortlog (first line of commit message) should follow the format "<target>: <summary>" (test_mbox.TestMbox.test_shortlog_format)
>> FAIL: test shortlog length: Edit shortlog so that it is 90 characters or less (currently 101 characters) (test_mbox.TestMbox.test_shortlog_length)
> That look like a false positive from patchtest. Maybe caused by the
> space in the "[PATCH ]" tag?
> CC'ing Trevor.

No, the regex should be OK with that. I think it's a problem with the 
encoding in Patchwork itself.

Patchtest uses git-pw to pull down series to test, and when I try to do 
the same, I see this in the file's headers:

From: peng.zhang1.cn@windriver.com
To: openembedded-core@lists.openembedded.org
Subject: 
=?utf-8?q?=5BOE-core=5D=5Bkirkstone=5D=5BPATCH=C2=A0=5D_libtasn1=3A?=
     =?utf-8?q?_fix_CVE-2024-12133?=

Same thing shows up if you manually download and view the mbox from 
Patchwork.

It is a false positive, though. I'll file a bug...

>> PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files)
>> PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore)
>> PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
>> PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
>> PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
>> PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format)
>> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
>> PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
>> PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
>> PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
>> PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
>> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
>> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
>> PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files)
>> PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
>>
>> SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
>> SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
>> SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence)
>> SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence)
>> SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
>> SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
>> SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence)
>>
>> ---
>>
>> Please address the issues identified and
>> submit a new revision of the patch, or alternatively, reply to this
>> email with an explanation of why the patch should be accepted. If you
>> believe these results are due to an error in patchtest, please submit a
>> bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
>> under 'Yocto Project Subprojects'). For more information on specific
>> failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
>> you!
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#212429): https://lists.openembedded.org/g/openembedded-core/message/212429
>> Mute This Topic: https://lists.openembedded.org/mt/111565411/4316185
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
>

On Fri, Mar 7, 2025 at 3:09 AM Vijay Anusuri via
lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org>
wrote:
>
> Hi Zhang Peng,
>
> Updating libtasn1 to 4.20.0 from 4.19.0 will fix the CVE-2024-12133.
>
> Upgrade patch was already sent and now it is in the master branch .
>
> https://git.openembedded.org/openembedded-core/commit/?id=3a8633b9f522e0be31c08790a3f2050c6d052d93
>
> https://lists.openembedded.org/g/openembedded-core/message/212059
>
> Later it will merged to scarthgap and kirkstone branches.

Looks like you only tagged it for styhead and scarthgap.  I'll add it
to kirkstone too.

Steve


> On Fri, Mar 7, 2025 at 4:10 PM Zhang, Peng (Paul) (CN) via lists.openembedded.org <peng.zhang1.cn=windriver.com@lists.openembedded.org> wrote:
>>
>> From: Zhang Peng <peng.zhang1.cn@windriver.com>
>>
>> CVE-2024-12133:
>> A flaw in libtasn1 causes inefficient handling of specific certificate data.
>> When processing a large number of elements in a certificate, libtasn1 takes
>> much longer than expected, which can slow down or even crash the system.
>> This flaw allows an attacker to send a specially crafted certificate,
>> causing a denial of service attack.
>>
>> Reference:
>> [https://nvd.nist.gov/vuln/detail/CVE-2024-12133]
>>
>> Upstream patches:
>> [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a]
>> [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d]
>>
>> Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>> ---
>>  .../gnutls/libtasn1/CVE-2024-12133-0001.patch |  43 ++++
>>  .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235 ++++++++++++++++++
>>  .../recipes-support/gnutls/libtasn1_4.19.0.bb |   2 +
>>  3 files changed, 280 insertions(+)
>>  create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>>  create mode 100644 meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>>
>> diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>> new file mode 100644
>> index 0000000000..d843b6dc92
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>> @@ -0,0 +1,43 @@
>> +From 4082ca2220b5ba910b546afddf7780fc4a51f75a Mon Sep 17 00:00:00 2001
>> +From: Daiki Ueno <ueno@gnu.org>
>> +Date: Sat, 19 Oct 2024 02:47:04 +0900
>> +Subject: [PATCH] asn1_der_decoding2: optimize _asn1_find_up call with node
>> + cache
>> +
>> +If we are parsing a sequence or set and the current node is a direct
>> +child of it, there is no need to traverse the list back to the
>> +leftmost one as we have a node cache.
>> +
>> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
>> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
>> +
>> +CVE: CVE-2024-12133
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a]
>> +
>> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>> +---
>> + lib/decoding.c | 9 ++++++++-
>> + 1 file changed, 8 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/lib/decoding.c b/lib/decoding.c
>> +index d2f6dea..1e0fcb3 100644
>> +--- a/lib/decoding.c
>> ++++ b/lib/decoding.c
>> +@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node *element, const void *ider, int *max_ider_len,
>> +           move = UP;
>> +       }
>> +       if (move == UP)
>> +-      p = _asn1_find_up (p);
>> ++      {
>> ++        /* If we are parsing a sequence or set and p is a direct
>> ++           child of it, no need to traverse the list back to the leftmost node. */
>> ++        if (tcache.tail == p)
>> ++          p = tcache.head;
>> ++        else
>> ++          p = _asn1_find_up (p);
>> ++      }
>> +     }
>> +
>> +   _asn1_delete_not_used (*element);
>> +--
>> +GitLab
>> diff --git a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>> new file mode 100644
>> index 0000000000..a3a6af2920
>> --- /dev/null
>> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>> @@ -0,0 +1,235 @@
>> +From 869a97aa259dffa2620dabcad84e1c22545ffc3d Mon Sep 17 00:00:00 2001
>> +From: Daiki Ueno <ueno@gnu.org>
>> +Date: Fri, 8 Nov 2024 16:05:32 +0900
>> +Subject: [PATCH] asn1_find_node: optimize "?NUMBER" node lookup with indexing
>> +
>> +To avoid linear search of named nodes, this adds a array of child
>> +nodes to their parent nodes as a cache.
>> +
>> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
>> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
>> +
>> +CVE: CVE-2024-12133
>> +Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d]
>> +
>> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>> +---
>> + lib/element.c    | 56 ++++++++++++++++++++++++++++++++++++++++++------
>> + lib/element.h    | 10 +++++++++
>> + lib/int.h        |  8 +++++++
>> + lib/parser_aux.c | 10 +++++++++
>> + lib/structure.c  | 13 +++++++++++
>> + 5 files changed, 90 insertions(+), 7 deletions(-)
>> +
>> +diff --git a/lib/element.c b/lib/element.c
>> +index 850bef4a..528df418 100644
>> +--- a/lib/element.c
>> ++++ b/lib/element.c
>> +@@ -33,6 +33,8 @@
>> + #include "structure.h"
>> + #include "c-ctype.h"
>> + #include "element.h"
>> ++#include <limits.h>
>> ++#include "intprops.h"
>> +
>> + void
>> + _asn1_hierarchical_name (asn1_node_const node, char *name, int name_size)
>> +@@ -129,6 +131,41 @@ _asn1_convert_integer (const unsigned char *value, unsigned char *value_out,
>> +   return ASN1_SUCCESS;
>> + }
>> +
>> ++int
>> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
>> ++                    asn1_node node)
>> ++{
>> ++  if (position >= array->size)
>> ++    {
>> ++      size_t new_size = position, i;
>> ++      asn1_node *new_nodes;
>> ++
>> ++      if (INT_MULTIPLY_OVERFLOW (new_size, 2))
>> ++      return ASN1_GENERIC_ERROR;
>> ++      new_size *= 2;
>> ++
>> ++      if (INT_ADD_OVERFLOW (new_size, 1))
>> ++      return ASN1_GENERIC_ERROR;
>> ++      new_size += 1;
>> ++
>> ++      if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes)))
>> ++      return ASN1_GENERIC_ERROR;
>> ++
>> ++      new_nodes = realloc (array->nodes, new_size * sizeof (*new_nodes));
>> ++      if (!new_nodes)
>> ++      return ASN1_MEM_ALLOC_ERROR;
>> ++
>> ++      for (i = array->size; i < new_size; i++)
>> ++      new_nodes[i] = NULL;
>> ++
>> ++      array->nodes = new_nodes;
>> ++      array->size = new_size;
>> ++    }
>> ++
>> ++  array->nodes[position] = node;
>> ++  return ASN1_SUCCESS;
>> ++}
>> ++
>> + /* Appends a new element into the sequence (or set) defined by this
>> +  * node. The new element will have a name of '?number', where number
>> +  * is a monotonically increased serial number.
>> +@@ -145,6 +182,7 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
>> +   asn1_node p, p2;
>> +   char temp[LTOSTR_MAX_SIZE + 1];
>> +   long n;
>> ++  int result;
>> +
>> +   if (!node || !(node->down))
>> +     return ASN1_GENERIC_ERROR;
>> +@@ -177,17 +215,21 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
>> +       pcache->tail = p2;
>> +     }
>> +
>> +-  if (p->name[0] == 0)
>> +-    _asn1_str_cpy (temp, sizeof (temp), "?1");
>> +-  else
>> ++  n = 0;
>> ++  if (p->name[0] != 0)
>> +     {
>> +-      n = strtol (p->name + 1, NULL, 0);
>> +-      n++;
>> +-      temp[0] = '?';
>> +-      _asn1_ltostr (n, temp + 1);
>> ++      n = strtol (p->name + 1, NULL, 10);
>> ++      if (n <= 0 || n >= LONG_MAX - 1)
>> ++      return ASN1_GENERIC_ERROR;
>> +     }
>> ++  temp[0] = '?';
>> ++  _asn1_ltostr (n + 1, temp + 1);
>> +   _asn1_set_name (p2, temp);
>> +   /*  p2->type |= CONST_OPTION; */
>> ++  result = _asn1_node_array_set (&node->numbered_children, n, p2);
>> ++  if (result != ASN1_SUCCESS)
>> ++    return result;
>> ++  p2->parent = node;
>> +
>> +   return ASN1_SUCCESS;
>> + }
>> +diff --git a/lib/element.h b/lib/element.h
>> +index 732054e9..b84e3a27 100644
>> +--- a/lib/element.h
>> ++++ b/lib/element.h
>> +@@ -38,4 +38,14 @@ int _asn1_convert_integer (const unsigned char *value,
>> + void _asn1_hierarchical_name (asn1_node_const node, char *name,
>> +                             int name_size);
>> +
>> ++static inline asn1_node_const
>> ++_asn1_node_array_get (const struct asn1_node_array_st *array, size_t position)
>> ++{
>> ++  return position < array->size ? array->nodes[position] : NULL;
>> ++}
>> ++
>> ++int
>> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t position,
>> ++                    asn1_node node);
>> ++
>> + #endif
>> +diff --git a/lib/int.h b/lib/int.h
>> +index 4f2d98d1..41b12b0b 100644
>> +--- a/lib/int.h
>> ++++ b/lib/int.h
>> +@@ -31,6 +31,12 @@
>> +
>> + # define ASN1_SMALL_VALUE_SIZE 16
>> +
>> ++struct asn1_node_array_st
>> ++{
>> ++  asn1_node *nodes;
>> ++  size_t size;
>> ++};
>> ++
>> + /* This structure is also in libtasn1.h, but then contains less
>> +    fields.  You cannot make any modifications to these first fields
>> +    without breaking ABI.  */
>> +@@ -47,6 +53,8 @@ struct asn1_node_st
>> +   asn1_node left;             /* Pointer to the next list element */
>> +   /* private fields: */
>> +   unsigned char small_value[ASN1_SMALL_VALUE_SIZE];   /* For small values */
>> ++  asn1_node parent;           /* Pointer to the parent node */
>> ++  struct asn1_node_array_st numbered_children; /* Array of unnamed child nodes for caching */
>> +
>> +   /* values used during decoding/coding */
>> +   int tmp_ival;
>> +diff --git a/lib/parser_aux.c b/lib/parser_aux.c
>> +index 415905a0..4281cc97 100644
>> +--- a/lib/parser_aux.c
>> ++++ b/lib/parser_aux.c
>> +@@ -126,6 +126,7 @@ asn1_find_node (asn1_node_const pointer, const char *name)
>> +   const char *n_start;
>> +   unsigned int nsize;
>> +   unsigned int nhash;
>> ++  const struct asn1_node_array_st *numbered_children;
>> +
>> +   if (pointer == NULL)
>> +     return NULL;
>> +@@ -209,6 +210,7 @@ asn1_find_node (asn1_node_const pointer, const char *name)
>> +       if (p->down == NULL)
>> +       return NULL;
>> +
>> ++      numbered_children = &p->numbered_children;
>> +       p = p->down;
>> +       if (p == NULL)
>> +       return NULL;
>> +@@ -222,6 +224,12 @@ asn1_find_node (asn1_node_const pointer, const char *name)
>> +       }
>> +       else
>> +       {                       /* no "?LAST" */
>> ++        if (n[0] == '?' && c_isdigit (n[1]))
>> ++          {
>> ++            long position = strtol (n + 1, NULL, 10);
>> ++            if (position > 0 && position < LONG_MAX)
>> ++              p = _asn1_node_array_get (numbered_children, position - 1);
>> ++          }
>> +         while (p)
>> +           {
>> +             if (p->name_hash == nhash && !strcmp (p->name, n))
>> +@@ -509,6 +517,8 @@ _asn1_remove_node (asn1_node node, unsigned int flags)
>> +       if (node->value != node->small_value)
>> +       free (node->value);
>> +     }
>> ++
>> ++  free (node->numbered_children.nodes);
>> +   free (node);
>> + }
>> +
>> +diff --git a/lib/structure.c b/lib/structure.c
>> +index 9c95b9e2..32692ad2 100644
>> +--- a/lib/structure.c
>> ++++ b/lib/structure.c
>> +@@ -31,6 +31,9 @@
>> + #include <structure.h>
>> + #include "parser_aux.h"
>> + #include <gstr.h>
>> ++#include "c-ctype.h"
>> ++#include "element.h"
>> ++#include <limits.h>
>> +
>> +
>> + extern char _asn1_identifierMissing[];
>> +@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure, const char *element_name)
>> +   if (source_node == NULL)
>> +     return ASN1_ELEMENT_NOT_FOUND;
>> +
>> ++  if (source_node->parent
>> ++      && source_node->name[0] == '?'
>> ++      && c_isdigit (source_node->name[1]))
>> ++    {
>> ++      long position = strtol (source_node->name + 1, NULL, 10);
>> ++      if (position > 0 && position < LONG_MAX)
>> ++      _asn1_node_array_set (&source_node->parent->numbered_children,
>> ++                            position - 1, NULL);
>> ++    }
>> ++
>> +   p2 = source_node->right;
>> +   p3 = _asn1_find_left (source_node);
>> +   if (!p3)
>> +--
>> +GitLab
>> diff --git a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>> index 5fb8b54c06..d5bc1e408e 100644
>> --- a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>> +++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
>>
>>  SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
>>             file://dont-depend-on-help2man.patch \
>> +           file://CVE-2024-12133-0001.patch \
>> +           file://CVE-2024-12133-0002.patch \
>>             "
>>
>>  DEPENDS = "bison-native"
>> --
>> 2.43.0
>>
>>
>>
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212431): https://lists.openembedded.org/g/openembedded-core/message/212431
> Mute This Topic: https://lists.openembedded.org/mt/111565382/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Thanks Steve...!!!

Thanks & Regards,
Vijay

On Fri, Mar 7, 2025 at 9:34 PM Steve Sakoman via lists.openembedded.org
<steve=sakoman.com@lists.openembedded.org> wrote:

> On Fri, Mar 7, 2025 at 3:09 AM Vijay Anusuri via
> lists.openembedded.org <vanusuri=mvista.com@lists.openembedded.org>
> wrote:
> >
> > Hi Zhang Peng,
> >
> > Updating libtasn1 to 4.20.0 from 4.19.0 will fix the CVE-2024-12133.
> >
> > Upgrade patch was already sent and now it is in the master branch .
> >
> >
> https://git.openembedded.org/openembedded-core/commit/?id=3a8633b9f522e0be31c08790a3f2050c6d052d93
> >
> > https://lists.openembedded.org/g/openembedded-core/message/212059
> >
> > Later it will merged to scarthgap and kirkstone branches.
>
> Looks like you only tagged it for styhead and scarthgap.  I'll add it
> to kirkstone too.
>
> Steve
>
>
> > On Fri, Mar 7, 2025 at 4:10 PM Zhang, Peng (Paul) (CN) via
> lists.openembedded.org <peng.zhang1.cn=
> windriver.com@lists.openembedded.org> wrote:
> >>
> >> From: Zhang Peng <peng.zhang1.cn@windriver.com>
> >>
> >> CVE-2024-12133:
> >> A flaw in libtasn1 causes inefficient handling of specific certificate
> data.
> >> When processing a large number of elements in a certificate, libtasn1
> takes
> >> much longer than expected, which can slow down or even crash the system.
> >> This flaw allows an attacker to send a specially crafted certificate,
> >> causing a denial of service attack.
> >>
> >> Reference:
> >> [https://nvd.nist.gov/vuln/detail/CVE-2024-12133]
> >>
> >> Upstream patches:
> >> [
> https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
> ]
> >> [
> https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
> ]
> >>
> >> Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> >> ---
> >>  .../gnutls/libtasn1/CVE-2024-12133-0001.patch |  43 ++++
> >>  .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235 ++++++++++++++++++
> >>  .../recipes-support/gnutls/libtasn1_4.19.0.bb |   2 +
> >>  3 files changed, 280 insertions(+)
> >>  create mode 100644
> meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> >>  create mode 100644
> meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> >>
> >> diff --git
> a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> >> new file mode 100644
> >> index 0000000000..d843b6dc92
> >> --- /dev/null
> >> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
> >> @@ -0,0 +1,43 @@
> >> +From 4082ca2220b5ba910b546afddf7780fc4a51f75a Mon Sep 17 00:00:00 2001
> >> +From: Daiki Ueno <ueno@gnu.org>
> >> +Date: Sat, 19 Oct 2024 02:47:04 +0900
> >> +Subject: [PATCH] asn1_der_decoding2: optimize _asn1_find_up call with
> node
> >> + cache
> >> +
> >> +If we are parsing a sequence or set and the current node is a direct
> >> +child of it, there is no need to traverse the list back to the
> >> +leftmost one as we have a node cache.
> >> +
> >> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
> >> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
> >> +
> >> +CVE: CVE-2024-12133
> >> +Upstream-Status: Backport [
> https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
> ]
> >> +
> >> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> >> +---
> >> + lib/decoding.c | 9 ++++++++-
> >> + 1 file changed, 8 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/lib/decoding.c b/lib/decoding.c
> >> +index d2f6dea..1e0fcb3 100644
> >> +--- a/lib/decoding.c
> >> ++++ b/lib/decoding.c
> >> +@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node *element, const
> void *ider, int *max_ider_len,
> >> +           move = UP;
> >> +       }
> >> +       if (move == UP)
> >> +-      p = _asn1_find_up (p);
> >> ++      {
> >> ++        /* If we are parsing a sequence or set and p is a direct
> >> ++           child of it, no need to traverse the list back to the
> leftmost node. */
> >> ++        if (tcache.tail == p)
> >> ++          p = tcache.head;
> >> ++        else
> >> ++          p = _asn1_find_up (p);
> >> ++      }
> >> +     }
> >> +
> >> +   _asn1_delete_not_used (*element);
> >> +--
> >> +GitLab
> >> diff --git
> a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> >> new file mode 100644
> >> index 0000000000..a3a6af2920
> >> --- /dev/null
> >> +++ b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
> >> @@ -0,0 +1,235 @@
> >> +From 869a97aa259dffa2620dabcad84e1c22545ffc3d Mon Sep 17 00:00:00 2001
> >> +From: Daiki Ueno <ueno@gnu.org>
> >> +Date: Fri, 8 Nov 2024 16:05:32 +0900
> >> +Subject: [PATCH] asn1_find_node: optimize "?NUMBER" node lookup with
> indexing
> >> +
> >> +To avoid linear search of named nodes, this adds a array of child
> >> +nodes to their parent nodes as a cache.
> >> +
> >> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
> >> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
> >> +
> >> +CVE: CVE-2024-12133
> >> +Upstream-Status: Backport [
> https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
> ]
> >> +
> >> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
> >> +---
> >> + lib/element.c    | 56 ++++++++++++++++++++++++++++++++++++++++++------
> >> + lib/element.h    | 10 +++++++++
> >> + lib/int.h        |  8 +++++++
> >> + lib/parser_aux.c | 10 +++++++++
> >> + lib/structure.c  | 13 +++++++++++
> >> + 5 files changed, 90 insertions(+), 7 deletions(-)
> >> +
> >> +diff --git a/lib/element.c b/lib/element.c
> >> +index 850bef4a..528df418 100644
> >> +--- a/lib/element.c
> >> ++++ b/lib/element.c
> >> +@@ -33,6 +33,8 @@
> >> + #include "structure.h"
> >> + #include "c-ctype.h"
> >> + #include "element.h"
> >> ++#include <limits.h>
> >> ++#include "intprops.h"
> >> +
> >> + void
> >> + _asn1_hierarchical_name (asn1_node_const node, char *name, int
> name_size)
> >> +@@ -129,6 +131,41 @@ _asn1_convert_integer (const unsigned char
> *value, unsigned char *value_out,
> >> +   return ASN1_SUCCESS;
> >> + }
> >> +
> >> ++int
> >> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t
> position,
> >> ++                    asn1_node node)
> >> ++{
> >> ++  if (position >= array->size)
> >> ++    {
> >> ++      size_t new_size = position, i;
> >> ++      asn1_node *new_nodes;
> >> ++
> >> ++      if (INT_MULTIPLY_OVERFLOW (new_size, 2))
> >> ++      return ASN1_GENERIC_ERROR;
> >> ++      new_size *= 2;
> >> ++
> >> ++      if (INT_ADD_OVERFLOW (new_size, 1))
> >> ++      return ASN1_GENERIC_ERROR;
> >> ++      new_size += 1;
> >> ++
> >> ++      if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes)))
> >> ++      return ASN1_GENERIC_ERROR;
> >> ++
> >> ++      new_nodes = realloc (array->nodes, new_size * sizeof
> (*new_nodes));
> >> ++      if (!new_nodes)
> >> ++      return ASN1_MEM_ALLOC_ERROR;
> >> ++
> >> ++      for (i = array->size; i < new_size; i++)
> >> ++      new_nodes[i] = NULL;
> >> ++
> >> ++      array->nodes = new_nodes;
> >> ++      array->size = new_size;
> >> ++    }
> >> ++
> >> ++  array->nodes[position] = node;
> >> ++  return ASN1_SUCCESS;
> >> ++}
> >> ++
> >> + /* Appends a new element into the sequence (or set) defined by this
> >> +  * node. The new element will have a name of '?number', where number
> >> +  * is a monotonically increased serial number.
> >> +@@ -145,6 +182,7 @@ _asn1_append_sequence_set (asn1_node node, struct
> node_tail_cache_st *pcache)
> >> +   asn1_node p, p2;
> >> +   char temp[LTOSTR_MAX_SIZE + 1];
> >> +   long n;
> >> ++  int result;
> >> +
> >> +   if (!node || !(node->down))
> >> +     return ASN1_GENERIC_ERROR;
> >> +@@ -177,17 +215,21 @@ _asn1_append_sequence_set (asn1_node node,
> struct node_tail_cache_st *pcache)
> >> +       pcache->tail = p2;
> >> +     }
> >> +
> >> +-  if (p->name[0] == 0)
> >> +-    _asn1_str_cpy (temp, sizeof (temp), "?1");
> >> +-  else
> >> ++  n = 0;
> >> ++  if (p->name[0] != 0)
> >> +     {
> >> +-      n = strtol (p->name + 1, NULL, 0);
> >> +-      n++;
> >> +-      temp[0] = '?';
> >> +-      _asn1_ltostr (n, temp + 1);
> >> ++      n = strtol (p->name + 1, NULL, 10);
> >> ++      if (n <= 0 || n >= LONG_MAX - 1)
> >> ++      return ASN1_GENERIC_ERROR;
> >> +     }
> >> ++  temp[0] = '?';
> >> ++  _asn1_ltostr (n + 1, temp + 1);
> >> +   _asn1_set_name (p2, temp);
> >> +   /*  p2->type |= CONST_OPTION; */
> >> ++  result = _asn1_node_array_set (&node->numbered_children, n, p2);
> >> ++  if (result != ASN1_SUCCESS)
> >> ++    return result;
> >> ++  p2->parent = node;
> >> +
> >> +   return ASN1_SUCCESS;
> >> + }
> >> +diff --git a/lib/element.h b/lib/element.h
> >> +index 732054e9..b84e3a27 100644
> >> +--- a/lib/element.h
> >> ++++ b/lib/element.h
> >> +@@ -38,4 +38,14 @@ int _asn1_convert_integer (const unsigned char
> *value,
> >> + void _asn1_hierarchical_name (asn1_node_const node, char *name,
> >> +                             int name_size);
> >> +
> >> ++static inline asn1_node_const
> >> ++_asn1_node_array_get (const struct asn1_node_array_st *array, size_t
> position)
> >> ++{
> >> ++  return position < array->size ? array->nodes[position] : NULL;
> >> ++}
> >> ++
> >> ++int
> >> ++_asn1_node_array_set (struct asn1_node_array_st *array, size_t
> position,
> >> ++                    asn1_node node);
> >> ++
> >> + #endif
> >> +diff --git a/lib/int.h b/lib/int.h
> >> +index 4f2d98d1..41b12b0b 100644
> >> +--- a/lib/int.h
> >> ++++ b/lib/int.h
> >> +@@ -31,6 +31,12 @@
> >> +
> >> + # define ASN1_SMALL_VALUE_SIZE 16
> >> +
> >> ++struct asn1_node_array_st
> >> ++{
> >> ++  asn1_node *nodes;
> >> ++  size_t size;
> >> ++};
> >> ++
> >> + /* This structure is also in libtasn1.h, but then contains less
> >> +    fields.  You cannot make any modifications to these first fields
> >> +    without breaking ABI.  */
> >> +@@ -47,6 +53,8 @@ struct asn1_node_st
> >> +   asn1_node left;             /* Pointer to the next list element */
> >> +   /* private fields: */
> >> +   unsigned char small_value[ASN1_SMALL_VALUE_SIZE];   /* For small
> values */
> >> ++  asn1_node parent;           /* Pointer to the parent node */
> >> ++  struct asn1_node_array_st numbered_children; /* Array of unnamed
> child nodes for caching */
> >> +
> >> +   /* values used during decoding/coding */
> >> +   int tmp_ival;
> >> +diff --git a/lib/parser_aux.c b/lib/parser_aux.c
> >> +index 415905a0..4281cc97 100644
> >> +--- a/lib/parser_aux.c
> >> ++++ b/lib/parser_aux.c
> >> +@@ -126,6 +126,7 @@ asn1_find_node (asn1_node_const pointer, const
> char *name)
> >> +   const char *n_start;
> >> +   unsigned int nsize;
> >> +   unsigned int nhash;
> >> ++  const struct asn1_node_array_st *numbered_children;
> >> +
> >> +   if (pointer == NULL)
> >> +     return NULL;
> >> +@@ -209,6 +210,7 @@ asn1_find_node (asn1_node_const pointer, const
> char *name)
> >> +       if (p->down == NULL)
> >> +       return NULL;
> >> +
> >> ++      numbered_children = &p->numbered_children;
> >> +       p = p->down;
> >> +       if (p == NULL)
> >> +       return NULL;
> >> +@@ -222,6 +224,12 @@ asn1_find_node (asn1_node_const pointer, const
> char *name)
> >> +       }
> >> +       else
> >> +       {                       /* no "?LAST" */
> >> ++        if (n[0] == '?' && c_isdigit (n[1]))
> >> ++          {
> >> ++            long position = strtol (n + 1, NULL, 10);
> >> ++            if (position > 0 && position < LONG_MAX)
> >> ++              p = _asn1_node_array_get (numbered_children, position -
> 1);
> >> ++          }
> >> +         while (p)
> >> +           {
> >> +             if (p->name_hash == nhash && !strcmp (p->name, n))
> >> +@@ -509,6 +517,8 @@ _asn1_remove_node (asn1_node node, unsigned int
> flags)
> >> +       if (node->value != node->small_value)
> >> +       free (node->value);
> >> +     }
> >> ++
> >> ++  free (node->numbered_children.nodes);
> >> +   free (node);
> >> + }
> >> +
> >> +diff --git a/lib/structure.c b/lib/structure.c
> >> +index 9c95b9e2..32692ad2 100644
> >> +--- a/lib/structure.c
> >> ++++ b/lib/structure.c
> >> +@@ -31,6 +31,9 @@
> >> + #include <structure.h>
> >> + #include "parser_aux.h"
> >> + #include <gstr.h>
> >> ++#include "c-ctype.h"
> >> ++#include "element.h"
> >> ++#include <limits.h>
> >> +
> >> +
> >> + extern char _asn1_identifierMissing[];
> >> +@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure, const
> char *element_name)
> >> +   if (source_node == NULL)
> >> +     return ASN1_ELEMENT_NOT_FOUND;
> >> +
> >> ++  if (source_node->parent
> >> ++      && source_node->name[0] == '?'
> >> ++      && c_isdigit (source_node->name[1]))
> >> ++    {
> >> ++      long position = strtol (source_node->name + 1, NULL, 10);
> >> ++      if (position > 0 && position < LONG_MAX)
> >> ++      _asn1_node_array_set (&source_node->parent->numbered_children,
> >> ++                            position - 1, NULL);
> >> ++    }
> >> ++
> >> +   p2 = source_node->right;
> >> +   p3 = _asn1_find_left (source_node);
> >> +   if (!p3)
> >> +--
> >> +GitLab
> >> diff --git a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> >> index 5fb8b54c06..d5bc1e408e 100644
> >> --- a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> >> +++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
> >> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
> "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
> >>
> >>  SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
> >>             file://dont-depend-on-help2man.patch \
> >> +           file://CVE-2024-12133-0001.patch \
> >> +           file://CVE-2024-12133-0002.patch \
> >>             "
> >>
> >>  DEPENDS = "bison-native"
> >> --
> >> 2.43.0
> >>
> >>
> >>
> >>
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#212453):
> https://lists.openembedded.org/g/openembedded-core/message/212453
> Mute This Topic: https://lists.openembedded.org/mt/111565382/7301997
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> vanusuri@mvista.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

I also found no 'kirkstone' tag in 
https://lists.openembedded.org/g/openembedded-core/message/212059 so I 
sent the patch to 'kirkstone'. I will wait for it to be merged.

Thanks, Vijay and Steve.

//Peng

On 3/8/25 14:14, Vijay Anusuri wrote:
> **
> *CAUTION: This email comes from a non Wind River email account!*
> Do not click links or open attachments unless you recognize the sender 
> and know the content is safe.
> Thanks Steve...!!!
>
> Thanks & Regards,
> Vijay
>
> On Fri, Mar 7, 2025 at 9:34 PM Steve Sakoman via 
> lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoFIlOSvg$> 
> <steve=sakoman.com@lists.openembedded.org> wrote:
>
>     On Fri, Mar 7, 2025 at 3:09 AM Vijay Anusuri via
>     lists.openembedded.org
>     <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoFIlOSvg$>
>     <vanusuri=mvista.com@lists.openembedded.org>
>     wrote:
>     >
>     > Hi Zhang Peng,
>     >
>     > Updating libtasn1 to 4.20.0 from 4.19.0 will fix the CVE-2024-12133.
>     >
>     > Upgrade patch was already sent and now it is in the master branch .
>     >
>     >
>     https://git.openembedded.org/openembedded-core/commit/?id=3a8633b9f522e0be31c08790a3f2050c6d052d93
>     <https://urldefense.com/v3/__https://git.openembedded.org/openembedded-core/commit/?id=3a8633b9f522e0be31c08790a3f2050c6d052d93__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQooqWZmqw$>
>     >
>     >
>     https://lists.openembedded.org/g/openembedded-core/message/212059
>     <https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/message/212059__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQrgYj7CFg$>
>     >
>     > Later it will merged to scarthgap and kirkstone branches.
>
>     Looks like you only tagged it for styhead and scarthgap. I'll add it
>     to kirkstone too.
>
>     Steve
>
>
>     > On Fri, Mar 7, 2025 at 4:10 PM Zhang, Peng (Paul) (CN) via
>     lists.openembedded.org
>     <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoFIlOSvg$>
>     <peng.zhang1.cn
>     <https://urldefense.com/v3/__http://peng.zhang1.cn__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQrRiB3nFQ$>=windriver.com@lists.openembedded.org>
>     wrote:
>     >>
>     >> From: Zhang Peng <peng.zhang1.cn@windriver.com>
>     >>
>     >> CVE-2024-12133:
>     >> A flaw in libtasn1 causes inefficient handling of specific
>     certificate data.
>     >> When processing a large number of elements in a certificate,
>     libtasn1 takes
>     >> much longer than expected, which can slow down or even crash
>     the system.
>     >> This flaw allows an attacker to send a specially crafted
>     certificate,
>     >> causing a denial of service attack.
>     >>
>     >> Reference:
>     >> [https://nvd.nist.gov/vuln/detail/CVE-2024-12133
>     <https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2024-12133__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoM0ZuTRA$>]
>     >>
>     >> Upstream patches:
>     >>
>     [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
>     <https://urldefense.com/v3/__https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQruFLlQxQ$>]
>     >>
>     [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
>     <https://urldefense.com/v3/__https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoR8tbYcg$>]
>     >>
>     >> Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>     >> ---
>     >>  .../gnutls/libtasn1/CVE-2024-12133-0001.patch | 43 ++++
>     >>  .../gnutls/libtasn1/CVE-2024-12133-0002.patch | 235
>     ++++++++++++++++++
>     >>  .../recipes-support/gnutls/libtasn1_4.19.0.bb
>     <https://urldefense.com/v3/__http://libtasn1_4.19.0.bb__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoRfAGovw$>
>     |   2 +
>     >>  3 files changed, 280 insertions(+)
>     >>  create mode 100644
>     meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>     >>  create mode 100644
>     meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>     >>
>     >> diff --git
>     a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>     b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>     >> new file mode 100644
>     >> index 0000000000..d843b6dc92
>     >> --- /dev/null
>     >> +++
>     b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0001.patch
>     >> @@ -0,0 +1,43 @@
>     >> +From 4082ca2220b5ba910b546afddf7780fc4a51f75a Mon Sep 17
>     00:00:00 2001
>     >> +From: Daiki Ueno <ueno@gnu.org>
>     >> +Date: Sat, 19 Oct 2024 02:47:04 +0900
>     >> +Subject: [PATCH] asn1_der_decoding2: optimize _asn1_find_up
>     call with node
>     >> + cache
>     >> +
>     >> +If we are parsing a sequence or set and the current node is a
>     direct
>     >> +child of it, there is no need to traverse the list back to the
>     >> +leftmost one as we have a node cache.
>     >> +
>     >> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
>     >> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
>     >> +
>     >> +CVE: CVE-2024-12133
>     >> +Upstream-Status: Backport
>     [https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a
>     <https://urldefense.com/v3/__https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQruFLlQxQ$>]
>     >> +
>     >> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>     >> +---
>     >> + lib/decoding.c | 9 ++++++++-
>     >> + 1 file changed, 8 insertions(+), 1 deletion(-)
>     >> +
>     >> +diff --git a/lib/decoding.c b/lib/decoding.c
>     >> +index d2f6dea..1e0fcb3 100644
>     >> +--- a/lib/decoding.c
>     >> ++++ b/lib/decoding.c
>     >> +@@ -1570,7 +1570,14 @@ asn1_der_decoding2 (asn1_node *element,
>     const void *ider, int *max_ider_len,
>     >> +           move = UP;
>     >> +       }
>     >> +       if (move == UP)
>     >> +-      p = _asn1_find_up (p);
>     >> ++      {
>     >> ++        /* If we are parsing a sequence or set and p is a direct
>     >> ++           child of it, no need to traverse the list back to
>     the leftmost node. */
>     >> ++        if (tcache.tail == p)
>     >> ++          p = tcache.head;
>     >> ++        else
>     >> ++          p = _asn1_find_up (p);
>     >> ++      }
>     >> +     }
>     >> +
>     >> +   _asn1_delete_not_used (*element);
>     >> +--
>     >> +GitLab
>     >> diff --git
>     a/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>     b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>     >> new file mode 100644
>     >> index 0000000000..a3a6af2920
>     >> --- /dev/null
>     >> +++
>     b/meta/recipes-support/gnutls/libtasn1/CVE-2024-12133-0002.patch
>     >> @@ -0,0 +1,235 @@
>     >> +From 869a97aa259dffa2620dabcad84e1c22545ffc3d Mon Sep 17
>     00:00:00 2001
>     >> +From: Daiki Ueno <ueno@gnu.org>
>     >> +Date: Fri, 8 Nov 2024 16:05:32 +0900
>     >> +Subject: [PATCH] asn1_find_node: optimize "?NUMBER" node
>     lookup with indexing
>     >> +
>     >> +To avoid linear search of named nodes, this adds a array of child
>     >> +nodes to their parent nodes as a cache.
>     >> +
>     >> +Signed-off-by: Daiki Ueno <ueno@gnu.org>
>     >> +Signed-off-by: Simon Josefsson <simon@josefsson.org>
>     >> +
>     >> +CVE: CVE-2024-12133
>     >> +Upstream-Status: Backport
>     [https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
>     <https://urldefense.com/v3/__https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoR8tbYcg$>]
>     >> +
>     >> +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
>     >> +---
>     >> + lib/element.c    | 56
>     ++++++++++++++++++++++++++++++++++++++++++------
>     >> + lib/element.h    | 10 +++++++++
>     >> + lib/int.h        |  8 +++++++
>     >> + lib/parser_aux.c | 10 +++++++++
>     >> + lib/structure.c  | 13 +++++++++++
>     >> + 5 files changed, 90 insertions(+), 7 deletions(-)
>     >> +
>     >> +diff --git a/lib/element.c b/lib/element.c
>     >> +index 850bef4a..528df418 100644
>     >> +--- a/lib/element.c
>     >> ++++ b/lib/element.c
>     >> +@@ -33,6 +33,8 @@
>     >> + #include "structure.h"
>     >> + #include "c-ctype.h"
>     >> + #include "element.h"
>     >> ++#include <limits.h>
>     >> ++#include "intprops.h"
>     >> +
>     >> + void
>     >> + _asn1_hierarchical_name (asn1_node_const node, char *name,
>     int name_size)
>     >> +@@ -129,6 +131,41 @@ _asn1_convert_integer (const unsigned
>     char *value, unsigned char *value_out,
>     >> +   return ASN1_SUCCESS;
>     >> + }
>     >> +
>     >> ++int
>     >> ++_asn1_node_array_set (struct asn1_node_array_st *array,
>     size_t position,
>     >> ++                    asn1_node node)
>     >> ++{
>     >> ++  if (position >= array->size)
>     >> ++    {
>     >> ++      size_t new_size = position, i;
>     >> ++      asn1_node *new_nodes;
>     >> ++
>     >> ++      if (INT_MULTIPLY_OVERFLOW (new_size, 2))
>     >> ++      return ASN1_GENERIC_ERROR;
>     >> ++      new_size *= 2;
>     >> ++
>     >> ++      if (INT_ADD_OVERFLOW (new_size, 1))
>     >> ++      return ASN1_GENERIC_ERROR;
>     >> ++      new_size += 1;
>     >> ++
>     >> ++      if (INT_MULTIPLY_OVERFLOW (new_size, sizeof (*new_nodes)))
>     >> ++      return ASN1_GENERIC_ERROR;
>     >> ++
>     >> ++      new_nodes = realloc (array->nodes, new_size * sizeof
>     (*new_nodes));
>     >> ++      if (!new_nodes)
>     >> ++      return ASN1_MEM_ALLOC_ERROR;
>     >> ++
>     >> ++      for (i = array->size; i < new_size; i++)
>     >> ++      new_nodes[i] = NULL;
>     >> ++
>     >> ++      array->nodes = new_nodes;
>     >> ++      array->size = new_size;
>     >> ++    }
>     >> ++
>     >> ++  array->nodes[position] = node;
>     >> ++  return ASN1_SUCCESS;
>     >> ++}
>     >> ++
>     >> + /* Appends a new element into the sequence (or set) defined
>     by this
>     >> +  * node. The new element will have a name of '?number', where
>     number
>     >> +  * is a monotonically increased serial number.
>     >> +@@ -145,6 +182,7 @@ _asn1_append_sequence_set (asn1_node node,
>     struct node_tail_cache_st *pcache)
>     >> +   asn1_node p, p2;
>     >> +   char temp[LTOSTR_MAX_SIZE + 1];
>     >> +   long n;
>     >> ++  int result;
>     >> +
>     >> +   if (!node || !(node->down))
>     >> +     return ASN1_GENERIC_ERROR;
>     >> +@@ -177,17 +215,21 @@ _asn1_append_sequence_set (asn1_node
>     node, struct node_tail_cache_st *pcache)
>     >> +       pcache->tail = p2;
>     >> +     }
>     >> +
>     >> +-  if (p->name[0] == 0)
>     >> +-    _asn1_str_cpy (temp, sizeof (temp), "?1");
>     >> +-  else
>     >> ++  n = 0;
>     >> ++  if (p->name[0] != 0)
>     >> +     {
>     >> +-      n = strtol (p->name + 1, NULL, 0);
>     >> +-      n++;
>     >> +-      temp[0] = '?';
>     >> +-      _asn1_ltostr (n, temp + 1);
>     >> ++      n = strtol (p->name + 1, NULL, 10);
>     >> ++      if (n <= 0 || n >= LONG_MAX - 1)
>     >> ++      return ASN1_GENERIC_ERROR;
>     >> +     }
>     >> ++  temp[0] = '?';
>     >> ++  _asn1_ltostr (n + 1, temp + 1);
>     >> +   _asn1_set_name (p2, temp);
>     >> +   /*  p2->type |= CONST_OPTION; */
>     >> ++  result = _asn1_node_array_set (&node->numbered_children, n,
>     p2);
>     >> ++  if (result != ASN1_SUCCESS)
>     >> ++    return result;
>     >> ++  p2->parent = node;
>     >> +
>     >> +   return ASN1_SUCCESS;
>     >> + }
>     >> +diff --git a/lib/element.h b/lib/element.h
>     >> +index 732054e9..b84e3a27 100644
>     >> +--- a/lib/element.h
>     >> ++++ b/lib/element.h
>     >> +@@ -38,4 +38,14 @@ int _asn1_convert_integer (const unsigned
>     char *value,
>     >> + void _asn1_hierarchical_name (asn1_node_const node, char *name,
>     >> +                             int name_size);
>     >> +
>     >> ++static inline asn1_node_const
>     >> ++_asn1_node_array_get (const struct asn1_node_array_st *array,
>     size_t position)
>     >> ++{
>     >> ++  return position < array->size ? array->nodes[position] : NULL;
>     >> ++}
>     >> ++
>     >> ++int
>     >> ++_asn1_node_array_set (struct asn1_node_array_st *array,
>     size_t position,
>     >> ++                    asn1_node node);
>     >> ++
>     >> + #endif
>     >> +diff --git a/lib/int.h b/lib/int.h
>     >> +index 4f2d98d1..41b12b0b 100644
>     >> +--- a/lib/int.h
>     >> ++++ b/lib/int.h
>     >> +@@ -31,6 +31,12 @@
>     >> +
>     >> + # define ASN1_SMALL_VALUE_SIZE 16
>     >> +
>     >> ++struct asn1_node_array_st
>     >> ++{
>     >> ++  asn1_node *nodes;
>     >> ++  size_t size;
>     >> ++};
>     >> ++
>     >> + /* This structure is also in libtasn1.h, but then contains less
>     >> +    fields.  You cannot make any modifications to these first
>     fields
>     >> +    without breaking ABI.  */
>     >> +@@ -47,6 +53,8 @@ struct asn1_node_st
>     >> +   asn1_node left;             /* Pointer to the next list
>     element */
>     >> +   /* private fields: */
>     >> +   unsigned char small_value[ASN1_SMALL_VALUE_SIZE];   /* For
>     small values */
>     >> ++  asn1_node parent;           /* Pointer to the parent node */
>     >> ++  struct asn1_node_array_st numbered_children; /* Array of
>     unnamed child nodes for caching */
>     >> +
>     >> +   /* values used during decoding/coding */
>     >> +   int tmp_ival;
>     >> +diff --git a/lib/parser_aux.c b/lib/parser_aux.c
>     >> +index 415905a0..4281cc97 100644
>     >> +--- a/lib/parser_aux.c
>     >> ++++ b/lib/parser_aux.c
>     >> +@@ -126,6 +126,7 @@ asn1_find_node (asn1_node_const pointer,
>     const char *name)
>     >> +   const char *n_start;
>     >> +   unsigned int nsize;
>     >> +   unsigned int nhash;
>     >> ++  const struct asn1_node_array_st *numbered_children;
>     >> +
>     >> +   if (pointer == NULL)
>     >> +     return NULL;
>     >> +@@ -209,6 +210,7 @@ asn1_find_node (asn1_node_const pointer,
>     const char *name)
>     >> +       if (p->down == NULL)
>     >> +       return NULL;
>     >> +
>     >> ++      numbered_children = &p->numbered_children;
>     >> +       p = p->down;
>     >> +       if (p == NULL)
>     >> +       return NULL;
>     >> +@@ -222,6 +224,12 @@ asn1_find_node (asn1_node_const pointer,
>     const char *name)
>     >> +       }
>     >> +       else
>     >> +       {                       /* no "?LAST" */
>     >> ++        if (n[0] == '?' && c_isdigit (n[1]))
>     >> ++          {
>     >> ++            long position = strtol (n + 1, NULL, 10);
>     >> ++            if (position > 0 && position < LONG_MAX)
>     >> ++              p = _asn1_node_array_get (numbered_children,
>     position - 1);
>     >> ++          }
>     >> +         while (p)
>     >> +           {
>     >> +             if (p->name_hash == nhash && !strcmp (p->name, n))
>     >> +@@ -509,6 +517,8 @@ _asn1_remove_node (asn1_node node,
>     unsigned int flags)
>     >> +       if (node->value != node->small_value)
>     >> +       free (node->value);
>     >> +     }
>     >> ++
>     >> ++  free (node->numbered_children.nodes);
>     >> +   free (node);
>     >> + }
>     >> +
>     >> +diff --git a/lib/structure.c b/lib/structure.c
>     >> +index 9c95b9e2..32692ad2 100644
>     >> +--- a/lib/structure.c
>     >> ++++ b/lib/structure.c
>     >> +@@ -31,6 +31,9 @@
>     >> + #include <structure.h>
>     >> + #include "parser_aux.h"
>     >> + #include <gstr.h>
>     >> ++#include "c-ctype.h"
>     >> ++#include "element.h"
>     >> ++#include <limits.h>
>     >> +
>     >> +
>     >> + extern char _asn1_identifierMissing[];
>     >> +@@ -391,6 +394,16 @@ asn1_delete_element (asn1_node structure,
>     const char *element_name)
>     >> +   if (source_node == NULL)
>     >> +     return ASN1_ELEMENT_NOT_FOUND;
>     >> +
>     >> ++  if (source_node->parent
>     >> ++      && source_node->name[0] == '?'
>     >> ++      && c_isdigit (source_node->name[1]))
>     >> ++    {
>     >> ++      long position = strtol (source_node->name + 1, NULL, 10);
>     >> ++      if (position > 0 && position < LONG_MAX)
>     >> ++      _asn1_node_array_set
>     (&source_node->parent->numbered_children,
>     >> ++                            position - 1, NULL);
>     >> ++    }
>     >> ++
>     >> +   p2 = source_node->right;
>     >> +   p3 = _asn1_find_left (source_node);
>     >> +   if (!p3)
>     >> +--
>     >> +GitLab
>     >> diff --git a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>     <https://urldefense.com/v3/__http://libtasn1_4.19.0.bb__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoRfAGovw$>
>     b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>     <https://urldefense.com/v3/__http://libtasn1_4.19.0.bb__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoRfAGovw$>
>     >> index 5fb8b54c06..d5bc1e408e 100644
>     >> --- a/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>     <https://urldefense.com/v3/__http://libtasn1_4.19.0.bb__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoRfAGovw$>
>     >> +++ b/meta/recipes-support/gnutls/libtasn1_4.19.0.bb
>     <https://urldefense.com/v3/__http://libtasn1_4.19.0.bb__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQoRfAGovw$>
>     >> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
>     "file://doc/COPYING;md5=d32239bcb673463ab874e80d47fae504 \
>     >>
>     >>  SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
>     >> file://dont-depend-on-help2man.patch \
>     >> + file://CVE-2024-12133-0001.patch \
>     >> + file://CVE-2024-12133-0002.patch \
>     >>             "
>     >>
>     >>  DEPENDS = "bison-native"
>     >> --
>     >> 2.43.0
>     >>
>     >>
>     >>
>     >>
>     >
>     >
>     >
>
>     -=-=-=-=-=-=-=-=-=-=-=-
>     Links: You receive all messages sent to this group.
>     View/Reply Online (#212453):
>     https://lists.openembedded.org/g/openembedded-core/message/212453
>     <https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/message/212453__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQpbPFwCsQ$>
>     Mute This Topic:
>     https://lists.openembedded.org/mt/111565382/7301997
>     <https://urldefense.com/v3/__https://lists.openembedded.org/mt/111565382/7301997__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQodEvG9qA$>
>     Group Owner: openembedded-core+owner@lists.openembedded.org
>     <mailto:openembedded-core%2Bowner@lists.openembedded.org>
>     Unsubscribe:
>     https://lists.openembedded.org/g/openembedded-core/unsub
>     <https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/unsub__;!!AjveYdw8EvQ!ZzeGfovm8rs91bVBHZwR-XwklfF6fRu6K5HcoURbiTyBtatBZuH8GMStodprk96FL67rtPM63XColx8VOQrW4QaMAw$>
>     [vanusuri@mvista.com]
>     -=-=-=-=-=-=-=-=-=-=-=-
>