From patchwork Thu Apr 2 05:21:19 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yoann Congal X-Patchwork-Id: 85107 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83BE5CC6B03 for ; Thu, 2 Apr 2026 05:22:14 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9312.1775107332634062344 for ; Wed, 01 Apr 2026 22:22:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@smile.fr header.s=google header.b=fUbK+kiy; spf=pass (domain: smile.fr, ip: 209.85.128.46, mailfrom: yoann.congal@smile.fr) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-486fb439299so3552475e9.0 for ; Wed, 01 Apr 2026 22:22:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile.fr; s=google; t=1775107331; x=1775712131; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8s6+gP7b5q/FKVNjS85i6cEeSGyRAjLPkClSnk7e8FE=; b=fUbK+kiyyTiPAKS93/6EAo9VjCiP6XLlKw/5HD7pfHl/IJvqv6QVfw8KYC8JXoZuoG e39bLatRzWKFCiwFbyb2/j3bntK+ohdPAPZgOizuvGgHDal+c419UEKKfxESrYcew7SZ aatDU2lcjlzCJjwIKif1viUPAgZU0OXF2XXw0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775107331; x=1775712131; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8s6+gP7b5q/FKVNjS85i6cEeSGyRAjLPkClSnk7e8FE=; b=Zuji+qbJHx1v8DYXPB/H9AJmVKOzbYG+PIxewecOdsNB3kRYqoZUl+1RtAawr1ELCT tMZxNrTGzJFOcOzHfINW+re5WFxkzI2ZaKNDVPBvdaac/jQiy1lINqb6vUvLn/J2qLmc gKFzLik1TMjoSG3HHknxxfcpf2Qam4/3UFldcsRWLfk2cHzzkSkxKt1aXobhQVxNHOkH gfM73Ixwy2kJYGH0m7oxATYy+jRMnv//29JaBZcTzsn92QA8wYv7Wj1U8uLL5MSmT1VH cBbEJ+zJhlKtxF0cB3uC/h8yKAJ7zxqbO5aCAj3IYF4k4MJe7Rau042TAdjQSdaFyt0d fHlA== X-Gm-Message-State: AOJu0YwDiu3nKbHbKhf96YIV00Twh81nxwjU7SRjmAkbfKSSek/h5Jmh EQJ29AHbPXuECbRnY96ztVxMKVy2NDw0tA1isFqBCNGbFtQ5/T4zI8kCmfXMNg5u5tvDEOSOzh9 JFoOF3No= X-Gm-Gg: ATEYQzzY/gpE9JBAWP+uiAGxltPsK9j4o+Z6l2BA+GwLDLdVuVS/1sjYEsav19rO98i U7WK2Tbeo+PmZTgEEuW52aWREjLnvIT3Fs09hqkWSq4L/XN8RgmbVyg6+Ix7pnZAnxq/WYyI0YQ QUvqv8Kc2Gt08HEmBxarFyiqrNoV21qALZE2i6Ik9mKAUjmJsi3FK+tVp1gROSH3UwBcDo3CBRG 4SW/fwiX1wxveeLDgZ/2sYwECQ8mv65loOKnKS9U+FBQ4R/6jVFmSMTDvxKwnBVU+BTzOWHVPqz qOTIyWoLuOww3/n5UNro3gbODB52k++x31S6tN5H59GbFzCSKcKFraaIq5VJx03Rt8yUCCbzpcH NEUEJXn1f8FlrpojSHnz7OxbxOiU2attCiQz2kAKZBrXCIF0hCCv6BkSHzg2lATnY1+0cQe/tk9 It23+V9F1FWSqg0+0kZxV1f/P2ycLeDAAMivFeKGNbP2OyRjqQIQWlMfG6u3NcjFTRaOopYrJs9 0Bck/QcSWj3k6KlJg2FMxwk7A8= X-Received: by 2002:a05:600c:34c1:b0:486:fbe1:2499 with SMTP id 5b1f17b1804b1-4888359dc6bmr93902435e9.22.1775107330645; Wed, 01 Apr 2026 22:22:10 -0700 (PDT) Received: from FRSMI25-LASER.home (2a01cb001331aa00a2e4fb7b0d887544.ipv6.abo.wanadoo.fr. [2a01:cb00:1331:aa00:a2e4:fb7b:d88:7544]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4887e829c43sm151111865e9.5.2026.04.01.22.22.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Apr 2026 22:22:10 -0700 (PDT) From: Yoann Congal To: openembedded-core@lists.openembedded.org Subject: [OE-core][whinlatter 02/15] python3-pyopenssl: Fix CVE-2026-27459 Date: Thu, 2 Apr 2026 07:21:19 +0200 Message-ID: <699805e7ddaab18f1eb45b46425734159a353fef.1775106968.git.yoann.congal@smile.fr> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Apr 2026 05:22:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234474 From: Vijay Anusuri Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 Signed-off-by: Vijay Anusuri Signed-off-by: Yoann Congal --- .../python3-pyopenssl/CVE-2026-27459.patch | 109 ++++++++++++++++++ .../python/python3-pyopenssl_25.1.0.bb | 1 + 2 files changed, 110 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch new file mode 100644 index 00000000000..b35525c3762 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch @@ -0,0 +1,109 @@ +From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Wed, 18 Feb 2026 07:46:15 -0500 +Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback + (#1479) + +The cookie generate callback copied user-returned bytes into a +fixed-size native buffer without enforcing a maximum length. A +callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow +the OpenSSL-provided buffer, corrupting adjacent memory. + +Co-authored-by: Claude Opus 4.6 + +Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408] +CVE: CVE-2026-27459 +Signed-off-by: Vijay Anusuri +--- + CHANGELOG.rst | 1 + + src/OpenSSL/SSL.py | 7 +++++++ + tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/CHANGELOG.rst b/CHANGELOG.rst +index 5d953c9..de8b14a 100644 +--- a/CHANGELOG.rst ++++ b/CHANGELOG.rst +@@ -35,6 +35,7 @@ Deprecations: + Changes: + ^^^^^^^^ + ++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow. + - Corrected type annotations on ``Context.set_alpn_select_callback``, ``Context.set_session_cache_mode``, ``Context.set_options``, ``Context.set_mode``, ``X509.subject_name_hash``, and ``X509Store.load_locations``. + - Deprecated APIs are now marked using ``warnings.deprecated``. ``mypy`` will emit deprecation notices for them when used with ``--enable-error-code deprecated``. + - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded. +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 178961f..6c7d6a2 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -716,11 +716,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper): + def __init__(self, callback: _CookieGenerateCallback) -> None: + _CallbackExceptionHelper.__init__(self) + ++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255) ++ + @wraps(callback) + def wrapper(ssl, out, outlen): # type: ignore[no-untyped-def] + try: + conn = Connection._reverse_mapping[ssl] + cookie = callback(conn) ++ if len(cookie) > max_cookie_len: ++ raise ValueError( ++ f"Cookie too long (got {len(cookie)} bytes, " ++ f"max {max_cookie_len})" ++ ) + out[0 : len(cookie)] = cookie + outlen[0] = len(cookie) + return 1 +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 9a5b19b..7dd3af8 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -4720,6 +4720,44 @@ class TestDTLS: + def test_it_works_with_srtp(self) -> None: + self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80") + ++ def test_cookie_generate_too_long(self) -> None: ++ s_ctx = Context(DTLS_METHOD) ++ ++ def generate_cookie(ssl: Connection) -> bytes: ++ return b"\x00" * 256 ++ ++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool: ++ return True ++ ++ s_ctx.set_cookie_generate_callback(generate_cookie) ++ s_ctx.set_cookie_verify_callback(verify_cookie) ++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) ++ s_ctx.set_options(OP_NO_QUERY_MTU) ++ s = Connection(s_ctx) ++ s.set_accept_state() ++ ++ c_ctx = Context(DTLS_METHOD) ++ c_ctx.set_options(OP_NO_QUERY_MTU) ++ c = Connection(c_ctx) ++ c.set_connect_state() ++ ++ c.set_ciphertext_mtu(1500) ++ s.set_ciphertext_mtu(1500) ++ ++ # Client sends ClientHello ++ try: ++ c.do_handshake() ++ except SSL.WantReadError: ++ pass ++ chunk = c.bio_read(self.LARGE_BUFFER) ++ s.bio_write(chunk) ++ ++ # Server tries DTLSv1_listen, which triggers cookie generation. ++ # The oversized cookie should raise ValueError. ++ with pytest.raises(ValueError, match="Cookie too long"): ++ s.DTLSv1_listen() ++ + def test_timeout(self, monkeypatch: pytest.MonkeyPatch) -> None: + c_ctx = Context(DTLS_METHOD) + c = Connection(c_ctx) +-- +2.43.0 + diff --git a/meta/recipes-devtools/python/python3-pyopenssl_25.1.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_25.1.0.bb index 25263629a4c..08c821c415a 100644 --- a/meta/recipes-devtools/python/python3-pyopenssl_25.1.0.bb +++ b/meta/recipes-devtools/python/python3-pyopenssl_25.1.0.bb @@ -11,6 +11,7 @@ inherit pypi setuptools3 SRC_URI += " \ file://CVE-2026-27448.patch \ + file://CVE-2026-27459.patch \ " PACKAGES =+ "${PN}-tests"