| Message ID | 20250727152658.3852964-4-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [scarthgap,1/6] gnutls: patch CVE-2025-32989 | expand |
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/scarthgap-4-6-gnutls-patch-CVE-2025-32988.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format) PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files) PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch new file mode 100644 index 0000000000..97839db269 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch @@ -0,0 +1,58 @@ +From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Mon, 7 Jul 2025 10:44:12 +0900 +Subject: [PATCH] x509: avoid double free when exporting othernames in SAN + +Previously, the _gnutls_write_new_othername function, called by +gnutls_x509_ext_export_subject_alt_names to export "otherName" in a +certificate's SAN extension, freed the caller allocated ASN.1 +structure upon error, resulting in a potential double-free. + +Reported by OpenAI Security Research Team. + +Signed-off-by: Daiki Ueno <ueno@gnu.org> + +CVE:CVE-2025-32988 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + NEWS | 5 +++++ + lib/x509/extensions.c | 2 -- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 025e05148..ff289fa75 100644 +--- a/NEWS ++++ b/NEWS +@@ -10,6 +10,11 @@ See the end for copying conditions. + and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, + CVSS: medium] [CVE-2025-32989] + ++** libgnutls: Fix double-free upon error when exporting otherName in SAN ++ Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, ++ CVSS: low] [CVE-2025-32988] ++ ++ + * Version 3.8.4 (released 2024-03-18) + + ** libgnutls: RSA-OAEP encryption scheme is now supported +diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c +index 6c2da8fd1..e8be12eaf 100644 +--- a/lib/x509/extensions.c ++++ b/lib/x509/extensions.c +@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, + result = asn1_write_value(ext, name2, oid, 1); + if (result != ASN1_SUCCESS) { + gnutls_assert(); +- asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + +@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, + result = asn1_write_value(ext, name2, data, data_size); + if (result != ASN1_SUCCESS) { + gnutls_assert(); +- asn1_delete_structure(&ext); + return _gnutls_asn2err(result); + } + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 2a73a1e3d8..9644f3c50e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -30,6 +30,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://5477db1bb507a35e8833c758ce344f4b5b246d8e \ file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \ file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \ + file://CVE-2025-32988.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"