From patchwork Wed May 20 08:13:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4650ACD4F54 for ; Wed, 20 May 2026 08:14:51 +0000 (UTC) Received: from mx-relay15-hz1-if1.hornetsecurity.com (mx-relay15-hz1-if1.hornetsecurity.com [94.100.128.25]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7299.1779264884996324647 for ; Wed, 20 May 2026 01:14:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=EKreHigr; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.25, mailfrom: hsimeliere@witekio.com) ARC-Authentication-Results: i=2; mx-gate15-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.66.116, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=duzpr83cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=SyU8vgZ6vikNZTlLwMudSX/KH3CHBswjV+UaLEvrZ9c=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779264882; b=a1hpcLp87PZQcIrt116xV42wUc4hu1r+ei5dWXHEieBRg6vW4ShO7ugk8rFE5ZRdvb1gHmEh 9B0G/P530XYVMjLygJAiVHBLv2/e/uOcORyj6gbCjuZW6xZxDMbuGM02L/NpAZSS8lgtj6XpSyQ 6wep5YrmLmu/OPtAaUqmbhm3Pjn2hUIObpEV6G2uW/ArxtXAcn8nHlYKHDNZ+M8e0WRM8teyNbl nrrKJOelA4Yg+F4AdbVtFESN/Pw/S6FoFWIKrgpWpmN+Ewp/3rODWd9surg4wS8S4f/+2hEKDQJ JfHVWpE2+vae7AlExJO/w/h5N2mP+6uOzBOfyX1ljzssA== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779264882; b=ryvRtHAaXkn9zpbvKrPJF2J+4xvx6H8zSBNTOy0R2yf4P9y+bwH5dO1ALmendA65wurkg2uH DjIKFV6mV0UNUa77d5dthLjCLz2ezIu3LIyak0DdlicZY/Z6bx0iTxw6CmelI12paMLe80S+87f 5v3cPwB8T/94QnGmrZOmlCQDlQB1bJTVSH9gn+rIm/T3igXJN0kQOfa4LpV1m0N4JjePCjKY4O5 5JXXL5pIjB4H78RtMnZ+gADxvlFJsSBIQN64hHKevlY6N1swBkzpWRf4kq/2BD8EaHP76kS+RT0 4bFEf8vrDr3c/6mSwMq0RX8UhBaS8yp3UyKQORJ5+U0EA== Received: from mail-northeuropeazon11022116.outbound.protection.outlook.com ([52.101.66.116]) by mx-gate15-hz1; Wed, 20 May 2026 10:14:42 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=X52BQDcjSEWs0JQ/4vCTjRaubwMOPUNs0VI1PQQBm3k3r4/NbY4j3T0JCIqEEZE9i2ZNkruDZN3fZ+6xjOKUWoHo75fGMFHTqmMXdszJnzVyUNhfYf9nE/bpVc0QN8+DfuyEYOl6NTUJFqAZOBWtv1eb0FSXqVZlam+iI4COKmcQoSBrPPFZfUGh3z/xV5WL75s19u2WPwlmkUgjivr6V/PD7LbcXHDjBHjQXMBKWtEABrJMGifsszlHxsVjQA+N86E0luEGhBjbZfWYAmkAtzwgACvAY4P+U5awi3S4hImwtjipVpNeu6bhFDyjAxg8bRKKK2NO+i4FzqAfRyGZaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SyU8vgZ6vikNZTlLwMudSX/KH3CHBswjV+UaLEvrZ9c=; b=EWPseZGzR7QOu8pDtDg1UU+JILp5LGgfYOBXZ+TWRr3ylu9U8ctXM0HPnrT4b0Lpx7RTofe5cbIXRrVrE8tlFAtSujrFyP2PqD4wFH2pRBbakF7Y4tf0VVyj+sthx0Q65Z0RqhZ8JY64skC0Y/FZ3qe0JHX7WGkEKTjYXzPv4OBi6ze76Rh11loCg0CmqQXbq33mqfCUOFZ639GUTtcOE+SDxRFWnSOBk+VvKfvr6Vd6S5wSCsVkdpnkosqVc0JaxonUVXSd1mvMcHzs9/TyRuzHV+X/tUlBvo9byv1Ym5Dg4fnOPntx/qUP21u3k1D77Q9M++irvOdLw0vzws3OZg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SyU8vgZ6vikNZTlLwMudSX/KH3CHBswjV+UaLEvrZ9c=; b=EKreHigrWikErQaIssT4vuz5ZvYEqgGQRmW44b2Ml/qPmWfn7u1efQZGyDk0yKoMc/YJz5gTHWYLYLC365NkxjzdF8FZHCqV01XV6X1vD4EAx8b1oFaTn2yE4LgCoYc6Ahs+GJIGQ6tcyzmWYKTSmEhhWrTiQHb/9S28+cOUmoZihVG7YpKz4doadOhs07XalWmCfV2DQHXiKGKnm9aDluYjiPi7+7fkHX2VcZsbh2gzaZ7TJqyEmoCTIj8mnVw0x5kJoObcixq1kykjlDg/Q1wizrFO9EtaV2eLBcox0Lf52Buhs7H5Mtk9EvyeiSEZZXtsnsOdT343N+YFZPWHRA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DB3P192MB2129.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:439::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.24; Wed, 20 May 2026 08:14:30 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:30 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 1/7] gnutls: Fix CVE-2026-33846 Date: Wed, 20 May 2026 10:13:57 +0200 Message-ID: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DB3P192MB2129:EE_ X-MS-Office365-Filtering-Correlation-Id: ed039cb9-a838-485d-31ef-08deb647d127 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|1800799024|366016|376014|52116014|13003099007|56012099003|12006099003|18002099003; X-Microsoft-Antispam-Message-Info: IHS5oAolE7nOTq1hzOsowNwbbKPoJhvDsiWJHgxK0DFy+Ln0uK3467sHUDKE2E//N7kjVUSchzliAWq6trzHrEmLgyt+vYLe8De0PJmrTQW/nJl1DrCsjbChxwbdFH5fP1RHwPtS9UYKurD+iacH7To0d5ZplWMx/xFJjfNSbXAUt6HtGeUmi82T1ygRskVhkgJCHZ0gEqZgm8G/SOoGIiRwb9haPUZhDWglxjzgJviN6OmqJH48xX622B/4q04Sox8YZ/uM+aTT0oOQPwDH4s6C18vyB4DzORIO2a6m+ugRPReFXHlUGI08aBjrAF7UC8n54iPhF6tzpdqVchIejnilWN7QQQyTvmeGykVpKF246wEWsY5y1KoeDByLzrAF8dCWsdeOZCG3W/vsHyU+THhZ7bt2ZMI2Nwa3ArXqfrY1hEIBiePGugR8CcvEHnx+0jDF8eyJKZ5LrN9/TtSZgj7DUJB6+gDMsGMc4a6uqlelH9mgOAKNzp8L66jWGCQY0bLbXWj9nfOzS/LxuIK23gvH5jMStXcjCsZY+CuUulQ5NYr20wRAhKVzZ7bIWOd9avLEQ19nCP1M4mUW95Z2CARKsfpH+Ow/+tHpWDcQuPsXQudYLniksYilgew0ursi87b/J8J37SGetkp7BGe4DoBPfvhen5hs0s1W4FdjfrylFW4ZaC/D0E334akW0zDjNEVex0SI2kZa0RCD//S21g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(366016)(376014)(52116014)(13003099007)(56012099003)(12006099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: 9uq3ENnEBtJJf8VE16AII15P7+tQL8OuHqhcSb4uT8iBPXY/3unDn3jtWDYkPvDKgw+EYSzJshh4vwtvuYkxWYJ+Cv+W82pojdKzF7ZA5dgLOshAAMHiygfwjj5bB9mon/+WQcI/Rm27gK/lgh4e2LwiJ6ZbgMr3qnKbU2Ky+8oYrmMF3UgL+GFMrPgB9C+yby1yJSe0+OmIzkdx6ORdPguxITEn0mnF36nFwVH69EvO8JbbFZy0TVmUT0CQEB378E8ZHykztvfaWEidOpgONCQIvVpBz1SsaULGSQvIYkJs/4KeINbNX0JKLKOMGO2a1lWMO7h2pPoAaZ27TmMcw+OB2PSOx1DiuQXXGC3wJQsAekDfOVMIIxT8kRuwUSAFKubQDUqY8jTECgEtnHgaAF/oX+yO9M5xuPlyaVhUrE0tiNWTchgWwZ05IOT5o3JJ0x/707Zdwv8nKdOmTYjl7dQsCk5oqQxLfio3yGZO0pIh9b4cTkUUv/qkdXXNTV6Fs8xj54NoQopOt1+YBs3ZC4a2Eezrl8gwwnmvDccsVnI3ippDzjXLqyngQlLCmTjTPU8LKbcsxGjnNt3Yeah1KWgyRk8fh3o74jK2ODHl2fA3xayEatYQDwrFVwAFRQj4/gENSTIG/DCCaC0192O1Pi1r7U/P4p+kbRB8D3TAB9TxQeWaFXqQv70tHp90KePDXYAlMVgwqzLrFkVCOg9wtQukhnnPhxfdLCFkkhAjtQlzu6BvEf8PVwN21zj0xvnyaGRS6aHdH6XlI9sB7MtHTQGkKj+DmRq+K7USB7LiHAvsy7CVaxylk1VIvSRyIbtTkfCMRZi9na3j2utufXaXfw37/z/lGMQy/MIW0+4+R96wFPyEasz8BNzE2l67rCQgFTiNWnFIaj6lXdhdiKABODx3qSf1HnbanQhiktyYf5RKLWuKo/QbmFKkP/aPB8rDRkQAW3RB6vW9WlST1H5LYRW/QOr+URm9sTtMTFnFzCZ07J6UeA7eH5Jmj+4nhnY0SKskwhBSGSO6o9gwNcSmSWJrXliQLXveAzOmjfhKoWRlADeR3gJSUFBO67o699SAClf0dfogBkNKz12ATC/Ci2rJmSE+tN+itQinlE0k8lPloy+yc63kQL7aopGYpC+WROch8YVZwuZACYR7q/1Y7l96Sg7q79/Do1sRCccryO0/avRynnc48XnCLxmCP87wBMT2eCZ1wwG/yW3lnCNH6mPgJXFqatosD5zQUTLQrW0DnTFOPAZEzY7b/36EkNbGjMAJEzld0bP0IewjHdmcQfK7fwLrGjfC+t/l3ffBXyLU3/ekH/EsPE0jk9auXkaI2r0FingnISOfZX0X1HwMoOXDHerpja1fJKgSUEwrG5rqo5O2s8s8QJLGj/SRRhZ7GMzBFaJcCLY8MKDDVtobKG3i+j8efthtFh/ViKg+b85k4mzSGMHy6aemDyvbYxsFhy2WL3Mdax7KpqHTU7iu2+or0taQhx2t65ngREUArFHPbp5HT5aaYdghgN1FqWVe+scNL2sGore1A6owuygKkKW7l4qVaycoEVzWWF3R8F67hqh7EiGZG1qYUi1r6TFSWf5iey2oCWGWHHjyDlAqA0el/h0A2846poiulLkJ0Zdg42LErhnrydDN5L3F5pDs93Xdw03DKuJD6UAW9E01nFAkYc9xMSWs9jbZDjGJilmOEssIPw0JCcbBrad87IXqg/Woq/8VecTNzzZGw/Gu6szlpJ0+qn1Zr4Hcy71ln8rsIpnwTPexW4AmzMNUlgNDr23CH9fW X-MS-Exchange-AntiSpam-MessageData-1: Fvnj8cw5wyb/XA== X-Exchange-RoutingPolicyChecked: bI+RT1M7wHQUVZn9Lw3+IEioZR9EfDfYnSKL8gm1WpC9+JASAN4gp0aKFHF6YIpjXdmfKAfNamZAYDZwfmu/ftJjJYrKd4COfXWRpYSAj2rtQ8qIs9ehFm76YrR5JAEJ/ZhZ0NiN7hW4m7kV1yjWi1BVAmwohu7V1aw2b7CbrEN7FwQWEe3qBJ3pO/O3HoM2leXcP8L+BQgCIG4OcwrcEP0cdGRv3/CQM2m7AmlZIEpTNX0D0B4Z243FZAwXyyocec7ImAiRzgBC9vLLqIW6yYZ8VPefQT05PYReeO4WVKTYoSyrNPK0hziDu1gTT4z0xky/FdNjklWYCIK/JTuJDA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Ne+dqINYnqN7F4wrMBztUP1kcIctBk0YNNNYu8b6Bs0Nkw+seusOf2bRUQWosYaOWgidER7R4vt3XFkB4NxN3ohP6FDH2df95LV/rjO0wURhBuSjiZ5KcwvXynQQ22eiX3Bd5e6oDpPdeYAhIbas6mjPT6wG8IF0pSPf0ei9KsIh6hKjQePzr1YvlihysysxlAYA8bFuLXGNnk6tQ4Nu3L1rf82arvTnOi9ZQ2bBZKZhLNsfUwfwu7jRlaFDKBtVb75rCIP7z7ie+qdcaO2Bfc9tbiF0YHn6p/ZeFcudYECsB6n/vC2g4eR3mOTlVal4GJfoiTlbMvigIwqezEpHKOdzBtnAkKKBfBlMYLQOmsdIWYW3ruyYl0ELRRI2iMVk06BRoJcTKeDqCssiAixUCIdfbHcc3tos2m8SWHx48R/hcL7DjmW+45dbm5+g9m9n8PmcuyJ+Q7B4oP3l1EGE59LFP8ys2feAzyeZA1UFrgzG3XFPJhRCnGAuB+kEddkrDxjzvSc2CE8RcTZCOYaq9G92V1OAtYu+hK3Ba0thJ4B/4mlvbJSxSghNraFaFk0hZ7IgqWYHa2MMLw/l2I4A+z+18exBlg+3hKnc34EYqBSZBx5ytIaEkuDbdkyPENYW X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: ed039cb9-a838-485d-31ef-08deb647d127 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:30.2011 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dxim90RfcbB2EUmQyXyaiywvQyOIkiez4FT+QxXFf80B1n6HDKfMVw13uF8Os8KexKlUyITFSTjwqbr86tpmGg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3P192MB2129 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate15-hz1 with 4gL4890P24z3B3BK X-cloud-security-connect: mail-northeuropeazon11022116.outbound.protection.outlook.com[52.101.66.116], TLS=1, IP=52.101.66.116 X-cloud-security-Digest: ae0310881f33e93694ea29e9bfb5740c X-cloud-security: scantime:2.475 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:14:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237392 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. Pick pre-patch [3] to minimize conflicts. [1] https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78 [2] https://security-tracker.debian.org/tracker/CVE-2026-33846 [3] https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++ .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + 3 files changed, 166 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch new file mode 100644 index 0000000000..71266cb338 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch @@ -0,0 +1,97 @@ +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 17 Apr 2026 17:49:31 +0200 +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf + +I had vague concerns about thread-safety of this, +but then this pattern already exists within the file. + +CVE: CVE-2026-33846 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/buffers.c | 52 +++++++++++++++++---------------------------------- + 1 file changed, 17 insertions(+), 35 deletions(-) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 672380b05..d54c77022 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session, + int exists = 0, i, pos = 0; + int ret; + ++ handshake_buffer_st *recv_buf = ++ session->internals.handshake_recv_buffer; ++ + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) { +- if (session->internals.handshake_recv_buffer[i].htype == +- hsk->htype) { ++ if (recv_buf[i].htype == hsk->htype) { + exists = 1; + pos = i; + break; +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session, + _gnutls_write_uint24(0, &hsk->header[6]); + _gnutls_write_uint24(hsk->length, &hsk->header[9]); + +- _gnutls_handshake_buffer_move( +- &session->internals.handshake_recv_buffer[pos], hsk); ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); + + } else { +- if (hsk->start_offset < +- session->internals.handshake_recv_buffer[pos] +- .start_offset && +- hsk->end_offset + 1 >= +- session->internals.handshake_recv_buffer[pos] +- .start_offset) { +- memcpy(&session->internals.handshake_recv_buffer[pos] +- .data.data[hsk->start_offset], ++ if (hsk->start_offset < recv_buf[pos].start_offset && ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) { ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); +- session->internals.handshake_recv_buffer[pos] +- .start_offset = hsk->start_offset; +- session->internals.handshake_recv_buffer[pos] +- .end_offset = MIN( +- hsk->end_offset, +- session->internals.handshake_recv_buffer[pos] +- .end_offset); +- } else if (hsk->end_offset > +- session->internals.handshake_recv_buffer[pos] +- .end_offset && +- hsk->start_offset <= +- session->internals.handshake_recv_buffer[pos] +- .end_offset + +- 1) { +- memcpy(&session->internals.handshake_recv_buffer[pos] +- .data.data[hsk->start_offset], ++ recv_buf[pos].start_offset = hsk->start_offset; ++ recv_buf[pos].end_offset = ++ MIN(hsk->end_offset, recv_buf[pos].end_offset); ++ } else if (hsk->end_offset > recv_buf[pos].end_offset && ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) { ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); + +- session->internals.handshake_recv_buffer[pos] +- .end_offset = hsk->end_offset; +- session->internals.handshake_recv_buffer[pos] +- .start_offset = MIN( +- hsk->start_offset, +- session->internals.handshake_recv_buffer[pos] +- .start_offset); ++ recv_buf[pos].end_offset = hsk->end_offset; ++ recv_buf[pos].start_offset = MIN( ++ hsk->start_offset, recv_buf[pos].start_offset); + } + _gnutls_handshake_buffer_clear(hsk); + } +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch new file mode 100644 index 0000000000..e7d5cc6c2b --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch @@ -0,0 +1,67 @@ +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 17 Apr 2026 18:21:36 +0200 +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly + +Previously, gnutls didn't check that DTLS fragments claimed +a consistent message_length value. +Additionally, a crucial array size check was missing, +enabling an attacker to cause a heap overwrite. +The updated version rejects fragments with mismatching length +and adds a missing boundary check. + +Reported-by: Haruto Kimura (Stella) +Reported-by: Oscar Reparaz +Reported-by: Zou Dikai +Fixes: #1816 +Fixes: #1838 +Fixes: #1839 +Fixes: CVE-2026-33846 +Fixes: GNUTLS-SA-2026-04-29-1 +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + +CVE: CVE-2026-33846 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/buffers.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/lib/buffers.c b/lib/buffers.c +index d54c77022..5d4d16276 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session, + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); + + } else { ++ if (hsk->length != recv_buf[pos].length) { ++ /* inconsistent across fragments */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ /* start_offset + data.length <= hsk->length <= max_length */ ++ if (hsk->length < hsk->start_offset + hsk->data.length) { ++ /* impossible claims, overflow requested */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ if (hsk->length > recv_buf[pos].data.max_length) { ++ /* we don't have this much allocated, overflow guard */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ + if (hsk->start_offset < recv_buf[pos].start_offset && + hsk->end_offset + 1 >= recv_buf[pos].start_offset) { + memcpy(&recv_buf[pos].data.data[hsk->start_offset], +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index ccb6a2b4b2..e40a654a8e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -43,6 +43,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2025-14831-7.patch \ file://CVE-2025-14831-8.patch \ file://CVE-2025-14831-9.patch \ + file://CVE-2026-33846-pre.patch \ + file://CVE-2026-33846.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:13:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3902BCD4F3C for ; Wed, 20 May 2026 08:15:01 +0000 (UTC) Received: from mx-relay15-hz1-if1.hornetsecurity.com (mx-relay15-hz1-if1.hornetsecurity.com [94.100.128.25]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7302.1779264894683473597 for ; Wed, 20 May 2026 01:14:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=WNOKKXcs; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.25, mailfrom: hsimeliere@witekio.com) ARC-Authentication-Results: i=2; mx-gate15-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.66.116, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=duzpr83cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=NSiqafNngkjlcnyMBjEGjsFuIuvzibjSZxdkY3vvBzc=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779264892; b=LO4t8AHM80u+4bUV7Cs9FMoN2XID2X4g1sYY119ydw7/keq0PxjeJJBRHuAFl4HznEzFg+5U 9X6bppgL1hDbcw76ZBQSsWUgFaZeCrdQxtKCwq0hSXIHp1xaTRefmaxmKVvbogPFBVd+wMo+JKu 41nujBgeBa0k6omc+yTtuFj4KX6ThQEd6ZbV/vIuPBkUHBtyLjweEyW8rlEUv1GzX+00tW11N93 4V8vSo6Evv8PJyt5aGZzjgjeT/gZq4PANiqBPLETicIW7DTC3iiYZSCvZVrLuYBXbAYKfBCMdcf bYWpRiUTO3t1X297U9Bw0+Mq6mVFZCgScO2ySioz4Q/UQ== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779264892; b=MiAIpTIEVxnqUJceOOwgilmVbPR+Q4aIMEVewlF9N66ljCoUvk+fBupNPs9LIH+Byp16l+1K VqLk9KxLgk3E+rqee5aU/3JEO9PPG6mAy1K/xXEY9mICmNRC0jbsXk7KSztvKEGA+UFGTosGhN8 aow/TC6CNqzXalTDjAK8pA8j8ex+a7wupip6OSTBa1UYtpo+J/eEMA+9Nj/fn0KsLXo6ZxafpTd w/MMkDXYFzSZXuRd2vRBPbUw6rbRvK7oOWKgoddretbRpA6j6AB3a1CZsv7LPywZUZMzJVigUbu ByKGrFDHOPiTOyljclZjXSmzALaqln3OAgsa7LzkowKlw== Received: from mail-northeuropeazon11022116.outbound.protection.outlook.com ([52.101.66.116]) by mx-gate15-hz1; Wed, 20 May 2026 10:14:51 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=R6XItFZKIETthCbaHhjVinLFkeu3gpcRntjufep7UsmJ9xvCzisS1jte6XKSukroMEVmr40goFJLRJ5EJXt2c+aP+dr/ES3aXeOEsWoGrBIsdtJ48guaguBajL48ws+nPyF2CNJOk+AhxvkaNMPsqv8T2qte5nxSvLM9Q9BdijU3SFVjWfhmTJIuxrHkxmqXRk+138enx7I2flbUfFKcQKSvFUmc3YivSyBxViHZMmQIGxGpKaGPxIy1Ijys5HtytPrplwYvbTjq0/rf3puwCRbdrn512R9smNtVpAPtrquLoorPXIaQM6mrm54dugpeszuBBREjHP0FDuJ/fXfwyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NSiqafNngkjlcnyMBjEGjsFuIuvzibjSZxdkY3vvBzc=; b=fSA+Oz5wKBoISjc8bE8gv40dcdIW30viUpMtNHRKHz2L6sOuNMPWXdC8vpqai2GgyBV2GBHtEL1gE0kyCTn6PmOIeiHeCp5IfKP+AOdheHJGFzATKbDVXC2UCaLDiMu5RpskKty2e3WdSExBqZyRbX5TceZEDHyDoJG1XCfDTArH4+t4QpjKrVqfBv3VZWIuLSQwJIwmDQVfvsYXyV68/lIhFrvZNGhTM6cYhjiMYCgejyGVCG4I7PxxFX+vnXSKNLuGcfuSWc2g0TTUBkHBdCtT4AVy225x4OppycQGQXnGcUNl7+ECR9aP9Cv7FSWWGeM5korpdk7okbnqHCV9xQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NSiqafNngkjlcnyMBjEGjsFuIuvzibjSZxdkY3vvBzc=; b=WNOKKXcsFcitp6NpaRKjPFCFMfwxIeOBiyGrf4C/IRwq7PAgcun6iUlVqTyv+EPkJyaqvz6NetcvEeIJRoCf6sXtFpjzfUVbZlLkRDttQQEY/oKowf6itOge4JpFoeBHanQBCXhOxJGfHyXLywT3Qf/VYZPXtb286inMva56AyCkgTbA38PVnQwMgJuA0qYCyh16XF1ipltQi4FbY4EKRsKXvbbMxLGD65BPgORtt1FcAir4xkeN+rONqm6dQvElJIbeRTn1/rf33UEeni5f6K/JUlrp9g+1MIIXpOdySIcj9Wg6dXOKG7RBXj5yGjEg9dJys/UlQJjgLkJIGb+CjA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DB3P192MB2129.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:439::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.24; Wed, 20 May 2026 08:14:35 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:35 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 2/7] gnutls: Fix CVE-2026-33845 Date: Wed, 20 May 2026 10:13:58 +0200 Message-ID: <20260520081403.3052797-2-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DB3P192MB2129:EE_ X-MS-Office365-Filtering-Correlation-Id: 190812e8-c702-48a4-c684-08deb647d492 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|1800799024|366016|376014|52116014|13003099007|56012099003|22082099003|12006099003|18002099003; X-Microsoft-Antispam-Message-Info: l61MQyY96HK43wRlU2HeqKryZviN6Uy1rGRLs52V6TmOGDUH48oxmUScSNmLgpmHgeXODDtLu8elRPjc5povaY3DF7+ydiC+bawgyHKNsqlu3YBtXour/NbAOmrQ8Yd/LBL49aqNQ0UVI5ha0jY0tEjbv2FwwkcQL9kiPKwc+nI62qC1KquUY+t9UEzebnYLb4ntv/OK+g5EsZADHNH6Em4+8t7Pz2Fj8B3RFfV1KIKi1ReHw38sgXAGWyJjiKTxhxIM24VoDS0SqLqjhdzRCggGU/MgpjsRPcJsMnJkC8LvNawyWlLMILOni9sGRJzY9lk0v/jPknhP1b1z8x+jBvhk+V6D/ZmLoyGQq7fFhkd2xk6m9u00pQiN+656cKQ/SDqV7fOx+yGqkjLH6RLEbp5lVPf/W2BMjl3aieDsHtpCtTqR/YgdYm2A1nAru1bfDPVZSW+TYU2AOWzvMhZ7CuIMCMQ2Rz2feF4zS76n/xng9SmH8qxDKAs7I+jgYcVBXOwkR2Yc5GNu9u1bxi4fSFgJ9c6Hzdvfoii0WH0ItxSOw7msJ+y6lBnhfZY1HJyPrX/snQcidw8rCxNY3ur6O+bzaac6btiCciHEbNHi0UAF9+DSpzsZpGCuw4pmNQX4bOZLOeE2jgFS/8b832Q4L4KVdCbrUyO43Ts0cfHwA1ewtSCToFFMQYIp3Xowly6J2cknILB7DJ0kYlA1vCXmWg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(366016)(376014)(52116014)(13003099007)(56012099003)(22082099003)(12006099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: xHfM69ykTq70mxnPEYQ577XaPpM8FWPAShPghZaDT7E2EnsiBD8BnYILa8gcl1plHZTTeO5u8b5v1sdgdB6pBhzHJFdKeS8+sYkPdBVGgpu0JkxwNFePlBu8pTxoQIMOHnxGd6FmY9OnbvUWqSbZRPH3gUsXw4/MWcapSRouXUnE+xzWlMJZtLK9mLXP0CZp4RF2LDAJ4thFB4j2ZxK1zFE7oQqcwdKFDTfU/Y/7/KfnSl8AMn/35pxclPa/BfRwzDO34h3m81j5NSo9AO5ETDQMVNvHJ1AFxLqmpF8hnGNcITYGAfH1oljgojxXTadvBxX7XwvNtg64f2ENBa5Eyd3c75I6x6vG5u+kdeZHnROlBX5ZVpVO/xXB6fBgsdDQiwxoMzZ4FAX6Gk6ogXjX+3zNzkcnUoWdsDuY0OKmmcztuHMCop05gRHDGlafagbKLKccujXl3RRGeSmKBAyRNEeomJ3EHS94GzdpSwQ5cSyYvSgWrhmfABlApmf9NXO9+QbqKKDhN45NNdWFhjj9VsxIhceiUlaP1/WcNzFoUeKBl0CnzQeOEP+z23S+A2Da0uhigAfsxzi/pY+Z2bfbLuHi5PaQKkGfFO4ysu/zlMcRPT8lQaquTMuCituIDlAZurnavTLGWjpNSxMsV/9PVx3uPP3rPxh5Vwq8nOs5pKYause7my3dbj2KvUWfM/ynCR3GL0O31efTb/yPg57qc0AcNRz4z3Mym1Kk6NCYI9EPjMOHuMSsrZl+cJFci2gqxhP/bEK5yKpiezYWYqMzNI/X3LesTra40GHw7/Yj19hgiDPjL/Emh35qIhJsI275RgCtqkFkJc1RnXe/N96fHq0uRDQzq6wi0twjcfY905A+XZjSjrU6zAOxbNSaGzbYvjOlON4FGD8GqkX5qeXCxjzduQSEOn10SjA9NTgE/0qkYW+3fsU84cKCfRYTVVgmVaWGbNViMP3x+GJt4gpwLGeHfayWuL0eHhZdTbcMH30g0whbwzJPsIw45p9qfFj5NMLlUm/ukuL/a/D4JjD0l1wOuvRHeSFJdMEvlI/fFrRrHV+qJtttGk5C6A2fj6dB05UzFLWr0/y6c054SvIK4H7QemPmkRaLZnJKAJVSqj5KFy2Cadabuf+U0jZ8RgNaetVOqi+FPNC+f6FAHjvps3Gdgoi/tD8IWcEXVSHHxmM9CMcUmgLsZi0gkRq9XwT5ligg0Z/qKGEzTq6UfBl5HAWxpU3N79lJzFoBJgD4KR6vOyxQ/oOOV2ZNn2j19hGPAyfZWf8J+zE7+wyAyUCUWL3Zxlacp1bKZi2WyDH+ZaxOKUSYYQ/4Vp6Z2KPRr9Lyeyd2AppEchegpOQTfWD5d8awK2WGFMVBSZ44s0GgpkskY+jKsTNBGe6sKlAp/+k5N/alBgoaTfLyvnmsjeodaV+fUlA0HX41psp03xSJgxy0hpZUEmt3MzQvDFgD3st39kMsQ9oIB0gF9Q3OM3jIrlYD+YsvQRFDE3oTxD3r5bDlg+mFxvqocweBE/D9H5DTfASRq5vO8NyTUPLir9GptDOM7X9Az0dD5mQOLhdX6CUg8447TX79NXyF5obVIReUTI8SOxq1dKa4sApcFy/kIeIVGIXWFGZxn3wLVDCB5uEH+7f48/KGcvnYHwP3FyMAXFDRO/WAwWEciYbn3+kQ/1AuXQ0zoH5oEVwlgXVhsMwNFZiinZkMhecTTyKuSPFZ1zD0u2Q/n37TUNT/7Kkis5+jW3xwKhrkItVeRofod2kTmdb2u/InPzIlM9R7pxPCooycoVmL X-MS-Exchange-AntiSpam-MessageData-1: 3g6jVX9Y5f0SMw== X-Exchange-RoutingPolicyChecked: ZaEXyxZJUakEaSQuocHDKOCSIp7+4VnLirrblmVLgsRVsmdl/k+uCDFpiey7Wo1RM8AF3So44Clp/9fR5YkjfodBY2b8le2XYchKr8/ky9n92PblcM9sF2G09oVbZLT5hO3f6aHccXN/BzsW4ZeT9BDE6EnEw7TfqK23TO8oBycCZgvqvKzniMCqILAteSImtXfrF1cBCgBvzIrk90qhNrx0b5jBT1bion7YCFIjKnbVotxbBF32c8UehheqiS1GJuMgIZBzXdZbLAnAryHyIi4Mn0wPE1QZv8unkFoMEWaXzy3mlJfdnDFjeeSXtbMxP4TYyxISuehsY7th8KwlWA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: d8JDsKsq4HyVNOfxuf4wYxcO/OTu8kTq6akbBgZQNpWsJUccTeVXPFW/RTBXqKmZ5jHhtohvN8wPpkCHCt8yYey169m+K7L0rfubZIPFOYrDTrnaNbGz1zVYnj7lAi7PorSe53y7fqOxQ5j7ydvq7EEq7URXTswprabLVmtLMqItSjUzz3JnunshLU+IfdevfrAmqugjpriMENQezOViYcFsLjOg2Aw9PNy4q2bAcVi88u/dg8urRjNaR9mBW0hJLxCSqn+4qc2d8amzQ+gTSuJBxWTV1AHnpLITuEUjiSEBNSAO7hyOyJO3dcQWcD9J3/oGDRR1ii5748shGlACbjaWaBuLgXlxwoyxGwLnZhrLkTbbJ15lzp/umr24l/+qBlrj3hmbtsyiT7OSKCd1TBff+TCZdRFY5CcyCHui+a8JnFhLCbBI++VfJPGc/HMR7ENTLiAqIDsSleHxQ0mGOsgyJ3K9ECYrt2/RKzSvf4nJigcr6SPYAg00G2/c966xUZQBSe5XZ562pkQkXZxaAF83ZfzJZdhFrDAhrLd5PnwQpSslMWHbGHcay3xAbK755SIue/L73GQ3a6JLA6/JXWENlEGH68tKejnfI038n/HEMC+5MkJ/ZjXIEQfc1Ecd X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 190812e8-c702-48a4-c684-08deb647d492 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:35.9353 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4tPECrlYez/0diPgB8KEqgIzX6OX1rSIX/rFnnVUgnXymZXM6c6I5YrdI2+E88FziIcKyRPW+VRBpVCiV58UNA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3P192MB2129 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate15-hz1 with 4gL48L4fT6z3B3Q9 X-cloud-security-connect: mail-northeuropeazon11022116.outbound.protection.outlook.com[52.101.66.116], TLS=1, IP=52.101.66.116 X-cloud-security-Digest: 473151c1f05d137a546798fcc40fac86 X-cloud-security: scantime:2.707 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237394 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. Pick pre-patch [3] to minimize conflicts. [1] https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413 [2] https://security-tracker.debian.org/tracker/CVE-2026-33845 [3] https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-33845-pre.patch | 97 ++++++++++ .../gnutls/gnutls/CVE-2026-33845.patch | 172 ++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + 3 files changed, 271 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch new file mode 100644 index 0000000000..0eaccd5ba9 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845-pre.patch @@ -0,0 +1,97 @@ +From f2f852f604d73f890f977bab9792fbc4c20adbcd Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 22 Apr 2026 14:19:57 +0200 +Subject: [PATCH 1/2] buffers: rename a variable in parse_handshake_header + +CVE: CVE-2026-33845 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bd70e112d4d1f063223f0f0886aaaf33699390d0] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit bd70e112d4d1f063223f0f0886aaaf33699390d0) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/buffers.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 5d4d16276..705c77f91 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -857,7 +857,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + { + uint8_t *dataptr = NULL; /* for realloc */ + size_t handshake_header_size = HANDSHAKE_HEADER_SIZE(session), +- data_size, frag_size; ++ data_size, frag_length; + + /* Note: SSL2_HEADERS == 1 */ + if (_mbuffer_get_udata_size(bufel) < handshake_header_size) +@@ -872,7 +872,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + handshake_header_size = + SSL2_HEADERS; /* we've already read one byte */ + +- frag_size = ++ frag_length = + _mbuffer_get_udata_size(bufel) - + handshake_header_size; /* we've read the first byte */ + +@@ -883,7 +883,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + + hsk->sequence = 0; + hsk->start_offset = 0; +- hsk->length = frag_size; ++ hsk->length = frag_length; + } else + #endif + { /* TLS or DTLS handshake headers */ +@@ -898,13 +898,13 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + if (IS_DTLS(session)) { + hsk->sequence = _gnutls_read_uint16(&dataptr[4]); + hsk->start_offset = _gnutls_read_uint24(&dataptr[6]); +- frag_size = _gnutls_read_uint24(&dataptr[9]); ++ frag_length = _gnutls_read_uint24(&dataptr[9]); + } else { + hsk->sequence = 0; + hsk->start_offset = 0; +- frag_size = MIN((_mbuffer_get_udata_size(bufel) - +- handshake_header_size), +- hsk->length); ++ frag_length = MIN((_mbuffer_get_udata_size(bufel) - ++ handshake_header_size), ++ hsk->length); + } + + /* TLS1.3: distinguish server hello versus hello retry request. +@@ -923,8 +923,8 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + } + data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size; + +- if (frag_size > 0) +- hsk->end_offset = hsk->start_offset + frag_size - 1; ++ if (frag_length > 0) ++ hsk->end_offset = hsk->start_offset + frag_length - 1; + else + hsk->end_offset = 0; + +@@ -932,15 +932,15 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + "HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n", + session, _gnutls_handshake2str(hsk->htype), + (unsigned)hsk->htype, (int)hsk->length, (int)data_size, +- hsk->start_offset, (int)frag_size, (int)hsk->sequence); ++ hsk->start_offset, (int)frag_length, (int)hsk->sequence); + + hsk->header_size = handshake_header_size; + memcpy(hsk->header, _mbuffer_get_udata_ptr(bufel), + handshake_header_size); + + if (hsk->length > 0 && +- (frag_size > data_size || +- (frag_size > 0 && hsk->end_offset >= hsk->length))) { ++ (frag_length > data_size || ++ (frag_length > 0 && hsk->end_offset >= hsk->length))) { + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + } else if (hsk->length == 0 && hsk->end_offset != 0 && + hsk->start_offset != 0) +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch new file mode 100644 index 0000000000..d9af55d263 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33845.patch @@ -0,0 +1,172 @@ +From a6fc5c6fbfe10acd087cd233e73c5cfefbd2762a Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 23 Mar 2026 15:09:43 +0100 +Subject: [PATCH 2/2] buffers: switch from end_offset over to frag_length + +Instead of maintaining an inclusive [start_offset, end_offset] range +when reassembling DTLS handshake, +track start_offset and a relative frag_length instead. + +You'd think it'd be a no-op, but it fixes: + +* 0-length fragments triggering completion if message was 1 byte long +* a remotely triggerable underflow and an ensuing heap overrun + +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1811 +Fixes: CVE-2026-33845 +Fixes: GNUTLS-SA-2026-04-29-3 +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + +CVE: CVE-2026-33845 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/e5b72c53c7d789d19d1d1cd10b275e87d0415413] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit e5b72c53c7d789d19d1d1cd10b275e87d0415413) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/buffers.c | 51 +++++++++++++++++++++++++----------------------- + lib/gnutls_int.h | 4 ++-- + 2 files changed, 29 insertions(+), 26 deletions(-) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 705c77f91..9075a2009 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -923,10 +923,7 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + } + data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size; + +- if (frag_length > 0) +- hsk->end_offset = hsk->start_offset + frag_length - 1; +- else +- hsk->end_offset = 0; ++ hsk->frag_length = frag_length; + + _gnutls_handshake_log( + "HSK[%p]: %s (%u) was received. Length %d[%d], frag offset %d, frag length: %d, sequence: %d\n", +@@ -940,9 +937,11 @@ static int parse_handshake_header(gnutls_session_t session, mbuffer_st *bufel, + + if (hsk->length > 0 && + (frag_length > data_size || +- (frag_length > 0 && hsk->end_offset >= hsk->length))) { ++ (frag_length > 0 && ++ hsk->start_offset + frag_length > hsk->length))) { + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); +- } else if (hsk->length == 0 && hsk->end_offset != 0 && ++ } else if (hsk->length == 0 && ++ hsk->start_offset + frag_length != hsk->start_offset && + hsk->start_offset != 0) + return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); + +@@ -993,11 +992,10 @@ static int merge_handshake_packet(gnutls_session_t session, + hsk->data.length = hsk->length; + } + +- if (hsk->length > 0 && hsk->end_offset > 0 && +- hsk->end_offset - hsk->start_offset + 1 != hsk->length) { ++ if (hsk->length > 0 && hsk->frag_length > 0 && ++ hsk->frag_length != hsk->length) { + memmove(&hsk->data.data[hsk->start_offset], +- hsk->data.data, +- hsk->end_offset - hsk->start_offset + 1); ++ hsk->data.data, hsk->frag_length); + } + + session->internals.handshake_recv_buffer_size++; +@@ -1031,20 +1029,27 @@ static int merge_handshake_packet(gnutls_session_t session, + } + + if (hsk->start_offset < recv_buf[pos].start_offset && +- hsk->end_offset + 1 >= recv_buf[pos].start_offset) { ++ hsk->start_offset + hsk->frag_length >= ++ recv_buf[pos].start_offset) { + memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); + recv_buf[pos].start_offset = hsk->start_offset; +- recv_buf[pos].end_offset = +- MIN(hsk->end_offset, recv_buf[pos].end_offset); +- } else if (hsk->end_offset > recv_buf[pos].end_offset && +- hsk->start_offset <= recv_buf[pos].end_offset + 1) { ++ recv_buf[pos].frag_length = MIN( ++ hsk->frag_length, recv_buf[pos].frag_length); ++ } else if (hsk->start_offset + hsk->frag_length > ++ recv_buf[pos].start_offset + ++ recv_buf[pos].frag_length && ++ hsk->start_offset <= ++ recv_buf[pos].start_offset + ++ recv_buf[pos].frag_length) { + memcpy(&recv_buf[pos].data.data[hsk->start_offset], + hsk->data.data, hsk->data.length); + +- recv_buf[pos].end_offset = hsk->end_offset; + recv_buf[pos].start_offset = MIN( + hsk->start_offset, recv_buf[pos].start_offset); ++ recv_buf[pos].frag_length = hsk->start_offset + ++ hsk->frag_length - ++ recv_buf[pos].start_offset; + } + _gnutls_handshake_buffer_clear(hsk); + } +@@ -1104,8 +1109,8 @@ static int get_last_packet(gnutls_session_t session, + } + + else if ((recv_buf[LAST_ELEMENT].start_offset == 0 && +- recv_buf[LAST_ELEMENT].end_offset == +- recv_buf[LAST_ELEMENT].length - 1) || ++ recv_buf[LAST_ELEMENT].frag_length == ++ recv_buf[LAST_ELEMENT].length) || + recv_buf[LAST_ELEMENT].length == 0) { + session->internals.dtls.hsk_read_seq++; + _gnutls_handshake_buffer_move(hsk, +@@ -1116,8 +1121,9 @@ static int get_last_packet(gnutls_session_t session, + /* if we don't have a complete handshake message, but we + * have queued data waiting, try again to reconstruct the + * handshake packet, using the queued */ +- if (recv_buf[LAST_ELEMENT].end_offset != +- recv_buf[LAST_ELEMENT].length - 1 && ++ if ((recv_buf[LAST_ELEMENT].start_offset + ++ recv_buf[LAST_ELEMENT].frag_length) != ++ recv_buf[LAST_ELEMENT].length && + record_check_unprocessed(session) > 0) + return gnutls_assert_val( + GNUTLS_E_INT_CHECK_AGAIN); +@@ -1304,9 +1310,7 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session) + &session->internals.record_buffer, + bufel, ret); + +- data_size = MIN(tmp.length, +- tmp.end_offset - +- tmp.start_offset + 1); ++ data_size = MIN(tmp.length, tmp.frag_length); + + ret = _gnutls_buffer_append_data( + &tmp.data, +@@ -1322,7 +1326,6 @@ int _gnutls_parse_record_buffered_msgs(gnutls_session_t session) + ret = merge_handshake_packet(session, &tmp); + if (ret < 0) + return gnutls_assert_val(ret); +- + } while (_mbuffer_get_udata_size(bufel) > 0); + + prev = bufel; +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index 8cf9a8715..689dcdc41 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -479,10 +479,10 @@ typedef struct { + uint16_t sequence; + + /* indicate whether that message is complete. +- * complete means start_offset == 0 and end_offset == length ++ * complete means start_offset == 0 and frag_length == length + */ + uint32_t start_offset; +- uint32_t end_offset; ++ uint32_t frag_length; /* used exclusively in DTLS reassembly */ + + uint8_t header[MAX_HANDSHAKE_HEADER_SIZE]; + int header_size; +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index e40a654a8e..702a83fc85 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -45,6 +45,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2025-14831-9.patch \ file://CVE-2026-33846-pre.patch \ file://CVE-2026-33846.patch \ + file://CVE-2026-33845-pre.patch \ + file://CVE-2026-33845.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:13:59 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60FA8CD5BAB for ; Wed, 20 May 2026 08:15:01 +0000 (UTC) Received: from mx-relay22-hz1-if1.hornetsecurity.com (mx-relay22-hz1-if1.hornetsecurity.com [94.100.128.32]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7301.1779264891388574751 for ; Wed, 20 May 2026 01:14:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=W2argq5p; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.32, mailfrom: hsimeliere@witekio.com) Received: from mail-norwayeastazon11023134.outbound.protection.outlook.com ([40.107.159.134]) by mx-gate22-hz1; Wed, 20 May 2026 10:14:48 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dj83MH9ngXRytWTHfx9a2V0ZF//nYCkUr6+V1WMDOC0kSnO8uPpNQxQg+36Xwo6zrC8zPXM0RqWb5AEesCTKnSxqzB533IEzrZxiBCKHzV1cl6y2lCuV176HZwmePqY4w/30h/oFuyKAJjjwtoY+/zCz36Y+X7dj87P68LbOA7DR5xAYvh0zG5em4zX2oxVyRaZrYo4S4eUJuoSQwHTVfJWeVHORbUrfrD0wTFls3AeUe4Bq/ZFLrRLGhwKhbkEcz3zvvmRaIUX2vqPgoHm9rfJU/W7L7+PrcaC+QsTyJP6oabmPccuGgFzscgVhm5BxeJs+Trlb6uiGz1tfH/zRag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9Hw+ZTh++uGXxMHTWK1amlREZJ4dizd6TjtRMiITHq0=; b=gPMmLglyKUvn29rG2nMXv7KrQU7flzcNCdryc+xOmBBBX8yMFj3OKI6gWTZzidBI3KgeltDDVCy/hTc8HjaxjEJpC6ZZhbt+i7B+5wRptuBQsgf6hh0VYzHQFONRPnaGcCmy3ivJ96opxc8gReriIeW6DTel+yLCX/us0qkKhSYel8viQgXnT25OMYXwDymyUYkVH5uMYFthTNyC4H3aQPRJfAhq6DGUWcTZGaUWqboIVVnCYdtx30TRlo1vm+hloTlxelyF67GiJeedmTw1GkdiKG1YOLo5g72nZPz3Blxp3GvIMr2wkx7TLZ/dUDfN1qd4VFfr/4rtJpTgC0ZTWQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9Hw+ZTh++uGXxMHTWK1amlREZJ4dizd6TjtRMiITHq0=; b=W2argq5pIC641LzhZJRINbBDvUc/+N7X1zTBR6oP2gxFuqyu0rItyXfSZq+u39cZz5a1kugELk0WyYlaFxl16pJPIwDh2mWTAuI0ZteleSqSoFPZnCVhjNObwqLsCzPMk7Y0V4GVaIWfPH1x1DfJMhZewzSodiH6QKgC2dhytXmfbL73i5k50/ojVGFCJiZl5kFo8R4eWgJmlQdG0XsI07ytEGraWNVUlecIRlGnrclzqjQEw3JwxWE8zblp8e1OdaSKgWd3oxWLQkoJETZvNLcMqH8GJpqYoT2w7xPFPyaSKbRpUmBPQji/cFSTbSJ4DTXocYQY4cmz/pCXAzQPcw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DU4P192MB2472.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:573::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:14:39 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:39 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833 Date: Wed, 20 May 2026 10:13:59 +0200 Message-ID: <20260520081403.3052797-3-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DU4P192MB2472:EE_ X-MS-Office365-Filtering-Correlation-Id: f04d48a3-4b13-4dd9-683d-08deb647d6f3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|52116014|366016|13003099007|22082099003|56012099003|18002099003|12006099003|3023799007; X-Microsoft-Antispam-Message-Info: lZKBNoHbzugHDC1Oi4MZZhrO4bGOJFNiiBa062D8tmeuFps9eoJRTu3wDIfMkFhDO8WUKq0FGGRdqdvTiD58QeuERzFEELCFZ+ZNdrhd9A6NhFxNfnn6R65lAGtkKxK3rjcAR6zBvIyUu90U0T8Bc8eEcNUA7C4Ghpy3aEe8fHw/BPeLGksrjIQj/7ONigt2Fo35vQyqu12yi3LuyEu/5xNltmPoZxIRbjmMonYbLrIbGkdS7XrXFO1h6x3KFGpr5WW78C47VkdOqcsmgYW+azUl/rtaUd3UGuRs72G0s5JMQWUnMxalL2COBsgtFktt68hFHu/UTCBXCVRD2xXYzqCtR//my1Yzzi9Attnh2sXeX1wJpC5EaBKL/ui5k92gNYQQKBksZI0zu8ysUX4H6Wpaqjedl9HomTxzgr4YvSH67kLAbkHxSpDjb90S+WX6yIHvxj1UqKTqNf3FPC1lunNGlx0BXxqCs1Gs9BH17eaiRUuekvNV6EsmJgUPDJ3JTzqI+9YxOhvU/tZXBsWpWLz1QtxObFFLRQt+qPYfOY3g5k9SngKNSmLeTU1MehRUx0ArjzOS+wiV8jK+8JY0i5U3L8DZwud3SgHU2lDjfVPgMYRU4EAOv+4Q0xrdDvlsphHrt9aikAYfI7lpJKu9pBoeQZhT5aBaq5psgvL/0U/ePyuTZpeM2Ucu+zdXcxMF X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(52116014)(366016)(13003099007)(22082099003)(56012099003)(18002099003)(12006099003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: dmfuyHpGBH8EM0/W6gSFk9EAHrILQpumJS5T/GslmBaA3unfrvq2tktxHUsM1AcVqRv/TmQJSqV7h7yOlV/aSxLp0N1o2/AE4roL7fK9GpzSs3rutvtyC4OSW8lylXCIsrf8AI0ov17+cQ/ifjEDOsYn+zMJnqTJi7WncLV3jA0oP/IZ5wtrb9SJG5DgHd+DHJ08cQAnVSxk1dRNTr9yzhp2nzWthGFgHS8yAL26CmyArMT+7Ruk0Rn5XS1cLG0W4/MrLGycBR38Q2dWqcVPRGm/DwPaVZp3ZW8kfn/n5VH5JKJhGqS6cdQZBbWEiHkAzRxM6pEJLyHPMSwQXH7COvacraqoLG2ZaK04ifKdFXhk7QrMJPM81CxHQ5y8TrhdW1b/LH7uRKWh2VpRB35A1td7KzUE10hOqYxvpRHj0f/A3CEah0XtazX+b93pK0TDj8TpHciM7dk002cBtK1gHLjCMoGqq+aVGnHK/2jmZTNL2sCGM/JKJqPyc9GKniuWWkGl+oQltGOTjkz1xto9XCfubPSnVWGz2XldW83ovT1+mcar1hXX3s06jMHcZQYbvNClh1Q/gXd0GbtYwcz9sbqJVsUOIz+yDbKbEOJ7iXLsAcTU443/ZQLkOqalssOctyjC8VeYrtifxFnoToAITfpBpIfePzZPq3HbriZ6alBcng3lsWsvGvlKGAtilhyKUNr9PmqNnaUMRn48Xql92pTCvfR9b6Id7jjMnRmIBYW5rA+C9LlQLrcixwHg9WW9Kf9ycX4u2M48bRM2D44cnP6ozXhZJT7E9BRjFZR7NpKnalSm0a9MicMQlrNNhCk9bYZYLGVnaEW451E9daESfTsWGTrUFkSFyJ3UkHCX+pkKFTIS9FRONEmX63S4OOR/Zv8skKley18W24kAF/BNCDlVM5zZj3zzwc9TCJwVYy+VtYvLQqF/Ez8hV3+5K6e1PKz+XZzBKNGYCtp2mS5qsQ+4vGIu1nIE6TDAEkYs2HmehkZwkbuc8tiFEDjHI5MdddrMYadBJL0IqqwGJVj8VHPwDxyixrY+9zz1eDVrIyUI2/Dvn+QjckPwyaOFQoh8xrBWj4/UfklkbVJVqenVQmBtKTTtopqCFrvJZfW7yIAa3xmqxXjZs66H/Cq7j5+HDXXzoO57g0wnKA9pLsLnjkzVZKzIIGbR6bGIJXo4ppwlHBMkSkxwPdJnPo/qdRNiTH9GyTjr0HbdjY0ojvFPUncCxqMZBqptgCcJHic8ECKySaiCmAH1tF1jNSCigqd1teHLdbqkH1DlsvDJNN/aVz5ynpvk4boiYl2DL5n4blVrfZF1SDRKTfKNCBrYHvQTJ9/6sspfz+WVjnPRoEEcbmesIWKAI7AX6uREv7tXzR7ecbM/s46roJB1OpgYb44Q3lC17xKwAIzItfaQ8APGADFUSGANQ8oQ6otXOXKrg9W6ewEapPrJC9ZYO0WgEniQEgaY7CtpFoS97UG3PjBqizZDVRn/moTp1e7so6Exj5T7KAcUW1pjxhhvr+gxV15EYZP9j4DEJDo+csSSyqCw4pIJ1iP4xCCDLc206ZMgMAFelLFowRPhPcrhZeC5PMymhj8HsYXm9DJ3l85x7VBDmz3e9u9HsrX6B/KMatbZM4NPd6OoUFyovtXCH9ecfEJGasB4vlHQXS5NafWuKzHJngcBlkVbC+4k1hsmlukQNXXBLpCRRrJ7YTObxvRMursTU6n053OtrttsvqqQIiyGQlXBrYoue7qaWX+fouyp+blotPwOiFbCFoG28VTEDhwir3N5r4i0 X-MS-Exchange-AntiSpam-MessageData-1: XlQbSfjxLPwmeQ== X-Exchange-RoutingPolicyChecked: RbtnzCcVeyw6rglMRpc4V+61eOevuruVekl7qau+o+b/T4+1I61c5fSP2TL7i/0/Ya+muIW5wHMGG4ZnA1/w29aoLa/QrUu72EUne8aJoq3z6pg3iL0LsaFxVXtFULuSNLHDLjnUU4nx4+KFvMrimkBUxmsdfcbK3GA9kn9+OOtSg/hCxSfsufHsgsN49cnIpCQz6u24ImxC0b9J/pEa9femopVT2pMX3dJ81y+RYouXCUGKt/Mfy7qtI5MxVTWjCiUFjL0OfDsvJUfhv66DPUyKRqRUHylTyNt4LFgoaOVsYCKHboCAvzSlgF8e6s0liIrbCTX1LRDiYHntWDk9Yw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: M2zujARwrsTa9UrVkXc+Jwx/pETqP7u4s4eSdg6A34KhAqx2iRuPJc5nImKKd7TdCSO5Fte2CdfImmPMWq09ObbGEFOZgDpBf4YNfoqi5fljYICI99tqJnHQqRf0mDh9bC9/DmZtm1J88MBVwZIB5eWIqEEG/AwYR6/KNXVXm1Rl0VS2U+ZF3tF4ogTA95CsFpW6TvvHCeMeqyhPY/5xs2dkUpjUneHzwbQNT3453U5KHlHRvJOBOhC4CTYamuFn3N5DX8ldZ9CgX8K9il7AlMrwR4K3OzkWG4xH7WhfExNFfu6CnT2CtUbVDsO6PYrxNgI79ebPsJROFCySUcVh9YoKpi5k8Habr+kuMr18V8CawTWdYH1CmgdTW3If4GezloHuM+voFAH1BY17kOJTrrJgMHFwcgJTSxf7yQBzK62bA+Mal8mPNIvQOmWR5d+GvBvahv97cOs6jHwLyMzG3VG0rmH6ZZsOigA2f9U0y9e1DATH9tJePrRNPWKLaYfS+WzDmDbkfl1qh6/5Ty1pg7AZrA/2BzBQMU3jv8b5dpyS0LT2vF3Hh1Ga+WE8IAsRi/+8Ng+spERve4uTG41c+aLvGQn+0qnw1+Cc5xfAlGGw43FtmqfwjsU2db17Gss0 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: f04d48a3-4b13-4dd9-683d-08deb647d6f3 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:39.9157 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: i31+qIYNZMTfEYwQvdpQ0DoMlIBQY4CgiZH64iBLE/L4LwBuXbJ75cqN4y59wMIh6jUTdi7HetGzcT/JgBCbDA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4P192MB2472 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate22-hz1 with 4gL48L32vYz2BddL X-cloud-security-connect: mail-norwayeastazon11023134.outbound.protection.outlook.com[40.107.159.134], TLS=1, IP=40.107.159.134 X-cloud-security-Digest: 57eb35a8dbec34689b225d800316cc90 X-cloud-security: scantime:1.769 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237393 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5 [2] https://security-tracker.debian.org/tracker/CVE-2026-3833 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-3833.patch | 94 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 95 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch new file mode 100644 index 0000000000..cca4ff86f8 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch @@ -0,0 +1,94 @@ +From 2e8c3569d125d188b293d132c040201aae6ceb16 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 16 Mar 2026 15:29:40 +0100 +Subject: [PATCH] x509/name-constraints: compare domain names case-insensitive + +RFC 5280 7.2: +> When comparing DNS names for equality, conforming implementations +> MUST perform a case-insensitive exact match on the entire DNS name. +> When evaluating name constraints, conforming implementations MUST +> perform a case-insensitive exact match on a label-by-label basis. + +Domain name comparison during name constraints processing +was case-sensitive. For excluded name constraints, this could lead to +incorrectly accepting domain names that should've been rejected. +The code for comparing domain names and domain name parts of emails +has been modified to perform case-insensitive comparison instead. + +Reported-by: Oleh Konko +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1223 +Fixes: #1803 +Fixes: #1852 +Fixes: CVE-2026-3833 +Fixes: GNUTLS-SA-2026-04-29-5 + +CVE: CVE-2026-3833 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5] + +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N +Signed-off-by: Alexander Sosedkin +(cherry picked from commit 19f6508647bdcd3ce21130201e484d7ca6d962c5) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/x509/name_constraints.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c +index 04722bdf4..dee045d25 100644 +--- a/lib/x509/name_constraints.c ++++ b/lib/x509/name_constraints.c +@@ -35,6 +35,7 @@ + #include "x509_int.h" + #include "x509_ext_int.h" + #include ++#include "c-strcase.h" + + #include "ip.h" + #include "ip-in-cidr.h" +@@ -80,7 +81,7 @@ enum name_constraint_relation { + NC_SORTS_AFTER = 2 /* unrelated constraints */ + }; + +-/* A helper to compare just a pair of strings with this rich comparison */ ++/* Helpers to compare just a pair of strings with this rich comparison */ + static enum name_constraint_relation + compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len) + { +@@ -96,6 +97,22 @@ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len) + return NC_EQUAL; + } + ++static enum name_constraint_relation ++compare_strings_case_insensitive(const void *n1, size_t n1_len, const void *n2, ++ size_t n2_len) ++{ ++ int r = c_strncasecmp(n1, n2, MIN(n1_len, n2_len)); ++ if (r < 0) ++ return NC_SORTS_BEFORE; ++ if (r > 0) ++ return NC_SORTS_AFTER; ++ if (n1_len < n2_len) ++ return NC_SORTS_BEFORE; ++ if (n1_len > n2_len) ++ return NC_SORTS_AFTER; ++ return NC_EQUAL; ++} ++ + /* Rich-compare DNS names. Example order/relationships: + * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */ + static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1, +@@ -121,8 +138,8 @@ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1, + while (j && n2->data[j - 1] != '.') + j--; + +- rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j], +- j_end - j); ++ rel = compare_strings_case_insensitive(&n1->data[i], i_end - i, ++ &n2->data[j], j_end - j); + if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */ + return NC_SORTS_BEFORE; + if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */ +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 702a83fc85..69f90a3c01 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -47,6 +47,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-33846.patch \ file://CVE-2026-33845-pre.patch \ file://CVE-2026-33845.patch \ + file://CVE-2026-3833.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:14:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54D50CD5BA4 for ; Wed, 20 May 2026 08:15:01 +0000 (UTC) Received: from mx-relay22-hz1-if1.hornetsecurity.com (mx-relay22-hz1-if1.hornetsecurity.com [94.100.128.32]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7226.1779264898028153047 for ; Wed, 20 May 2026 01:14:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=RXYtTp9k; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.32, mailfrom: hsimeliere@witekio.com) Received: from mail-norwayeastazon11023134.outbound.protection.outlook.com ([40.107.159.134]) by mx-gate22-hz1; Wed, 20 May 2026 10:14:55 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hU2LJhHb7UUPSocsrW3SkR3isDZyToeiIjBFbjNvcUNW2hHt0EiwDpSe/dvgL3TtcrzijAQrB8uIsFn0ovcb9FNXeBNtcqbYmfzGRt3O2jpmej6jGgCcTu8I7ol/FZI/O4PMJfhhgbWgL8s8AxsN1fx7X26psn80+dvrRfS+8a3gX5fgeFI2nmPv72GzJqPf5wwbBbNlSoMoVTldJxdYEZQ8u9ipuGCvT4DGykhjNlRb9p7hU+vYA6ikp7H9d2gKhcS1cRGpwJP3C7XIBLilRn8JuorovjYONyv2v+fCXyNyg5OEsNuCMz+cRANaYKUho7TU96l+Y34h0meoZxyT6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dUziVqOathoOBD9iPDG2Pv3yjUlrOOzg+WpzZ2B5Q7I=; b=ZKRoHLpcvWJsdlyISQem/OGzgdYt6OPbN43FV3OmRTD98FHfppCXUDSiMNT/s3qdrwo84VrBIgxBbN8xP8XSe+vHwhqJUIPVXS3RhWehE5317kj6YVIfJJiUdto13whKmvlYnVcE4FkPl8bX5XeTC95WQLeKO4Zau0X1hAfKSCYcX3KmFJpG/4DCGoELYrk0ZOJ9Hu+lqR/FFQ5G0QsaeiDcIPuX1Q3SZpesv0uKXjotxdUCyRwMPdETQ5egFrZYS6F8c2HlkDO0FP0HMggW6vdgEUdYqgVsjIMVwvGQ/YjOiIaWF8O5ZE2WpG7LHwsOaVgIf9Y0YRc9ytbSOImPrg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dUziVqOathoOBD9iPDG2Pv3yjUlrOOzg+WpzZ2B5Q7I=; b=RXYtTp9kKzeKT/QnlQtp8FcE7WD4pPl/dd6rIBQpzsbGHLLEHDOVD9zzlAg06Fp9VTZMbFMCXRW+9nPyGuBNiZHtzjy7rkUYWY97iSNQcOk1kOAb5lS2VSHWFQXIob5a9f3wYK91juCeoF4Er8uKr36NT8dwopsWdya2kbev64AT3TKd0pMZoKU4NulCSqqMeLtcu5zAni2vuEQey2CY3XCzYHubKHM2e8JEk7yjBcEMuxBSRk6wj/CMTWlLZe7YbmJ0wfEJAKP0g8nQB9vlf7yhDyoD9OcVd92AzvTodN3+caGjq5nRXZxnziIiiNjXql8t8FsXOAnNw8Mn2z3ZNQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DU4P192MB2472.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:573::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:14:42 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:42 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 4/7] gnutls: Fix CVE-2026-42015 Date: Wed, 20 May 2026 10:14:00 +0200 Message-ID: <20260520081403.3052797-4-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DU4P192MB2472:EE_ X-MS-Office365-Filtering-Correlation-Id: 02384f97-aaa0-4a89-c1de-08deb647d829 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|52116014|366016|13003099007|22082099003|56012099003|18002099003|12006099003; X-Microsoft-Antispam-Message-Info: kSxC8mjyUF3Yek0NQNmG0FTtJQ8rVnJCZbQvr/jrydI1+BzF+TTxElIpkJBMmsF2UMIU+VUTUVasiRiKGQZUGNKM8zRQgIDsTQ1w+YcYHCv7t2XJVKL4l02NmkuATIfDE+twEFTinzB/TEvQTnVSIIsywGZbCggbIcnTpEb8gNH+/MXnft6dGazRo2fO0fPz+SFNcDCKCy1G17vHxuwDAo2nX0E+d2i9XawBqop1ilneq87z2sm0GHJaceUzSnNMNjXSgwJdYYtF2v9Adu/u3Qgj5urAE95nFMUyzgZjy+7tt3fEaAk8SI2CDGm/5yxddvl4qwhDTTHE9T7W7TMX8OnYzRVC1SR4kMglxx9WCW8GE7zjcuIZRp2PzBC/2I5szL44nVuMsYHWcM2BOnAih7YDg61W22rggV7OJTwlmY3b79qGawHr+lnneSdFLMBs2ZVo1c4Rl69L1JrhcWlsm+7zCfHjLaE002LHqdwdmW3mrfqf9CAwK+26L8oEok/N0lyEeViL+66XeUHJPqWhFhszyQkbxe0WzLnsNSAL1xSTIUavuLXBTJNN7csECrHZYP5Pz+eTgTRo3Z2PZs0tcpgQIVY70k3ofRAW0qSd9UnGAxodI1sDAetrxjGYGCj4tZc0tlc6SNlTF8VENybaLlfPk4xuev3RpPGOaOhQoOe58pO83h9VQGVhXVCnHc1E X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(52116014)(366016)(13003099007)(22082099003)(56012099003)(18002099003)(12006099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: Ev83YQTEVTJrpjYJ1nI/RWt0dgBi73y3fxQyU7NoadiMxtUe89chp+WF3MNaLomubuN0fFzDPMPEs4Nm1zrdH373FeCsobcKTaQrAtygps7WwurVxyqA0lR231fR2dZrx0QqGgGDtVIJ8NPbSAiiDd3kod2QsyVqoY/XTtmbVaaCvenqRe62k01akxgOkZla8bBwaUbNN0QAO0MHOCWMeLTOqpDxqX8KDIYHXxH2DAOBPliGF4c8THvlRi6I5ZA5P3efj/rFN+BENLjAEj12RFmznmZsuIzLIWq35pWMGmxbD0HOAsleGcjLVZG4ks6zkrUxjedKWPA5FqwJJfUtPLtYSQ6BbCAyAuvV60IIXR95KFsJ74kIDvoZ2agS9LqZbVU1dKpBkRjYZUyAQFpLnjKZiQFJpL/lxFk3D+KaRS8Y3lqZfdGwABgCqT415EDAaw5pP9eKr8vjvM8qLm1wIR89mbVkSUm8QMhG/hkHNn01Ciff88UiMYnNjDY37M03TAe+SEBG1nL3N3ebDHcBEba2gUw1K2mOSGjuYStTFFbFd4R475RUWxUh6rokB6gOGhzPIHvZ/27QoIgjRKYLbTvkbfHkB6mfrtYRQuddKL99YPm/lBnSMyk35UEUJFXD+HGh3iJVbd3Ti1yzS9bDjrLlw4N7OI42Es5M0Jw2hWQ5CSO9vd9NQe+yiNxZAcowRgR3o7jMfS2ngZW9ZU1v3GzPv2IeWvep7Y9v7ZjiNg/WUU6F4wc5GhSyEngAzfsX20e2IQZWjWfXE8lOlWkbK2Og2HZGHekE22JlVRwSK2U57OPXPWNtgnAzBLbK8Wq9GLePnk0k1jx3OW1fcA6hG6zjRrMMTWqj2yH2X7TPWkGBsNI+1kLJ4H91VAQcbudLUFbLbvscWEEIeFUwv03YExZjB5uraSVygyjzicxiPCsp26PlukXeVd870INMIM+LMbL55r3M3o0zw4rZT0pqfa+pu33YcLkmKT3snJkOps7Dxh9yL3nYRln9JCD6OO34HZjH4WkUYf0r/IRdJE5V0K0kpa916GA29OpWmi1OfO5cEJMD+jSogX03ClAVo9pnyx+Rhon4o9mIMdQfcGij1BvfP5WEZIO6dd1nIWo2r1m+FfGC+2+6y3b5JxAMmcy2e28CC9s1jSExpB7+zVm2QqvtjVjGQSXZwbcoid9pjpLkOLvnnbuG8YFrzWqh81YXZ6veVnChpuO56zTAQ87DKlzQ/tF/KF9NAfZVixyMDoU9HQ9MBq0aGInZd8ZIWXYQP5MUkAZenaGyVIqvXH06/7sz6y1EYLisIqms+FhiPFC/qbuPpZIFKX3qK09R70ltAY0EQkbxRZ6xDeSaQ24TPfiqqCTL1Qk1kDopuDij6H7mHWiqMTzGuvrz2qKFqWQIRRGLPk9kBTJS7nybk1xOBVgOAW5DpeWzwUnEBHsO737JF+RuKNA5qFYuLCnazksfCA/x2oBC+7CR8QL5t8SRF+kxT7TnT3ConnTBd4SrwHtwr8PDkAzePzDLaVJq87eHsIrGUa3LeGa7htavUeXRJRqoecqb8hfGJofJiTGSN3J2FZ7eJOBoebJ+Omozbt6WpHy04SW2O+Jc8/C1mqoc5YSaljkK8HTMkkY6i0mwX7hlA4YUopB9OlHAyP+a4QYfIBo/7I3er8bLkUNjpzpYPs6u71Rd6YMP4tg/o7mccc3y8NttCBxky5pCfZY72aHRB+QFQQfPzSi7ITWaB2VaQ5LmCZLj2zgS9OGh9hOyWpDu0fV3TfLc0cPQ00O2pNy9pCHMsd2P X-MS-Exchange-AntiSpam-MessageData-1: x4rboUtOTQ8kUA== X-Exchange-RoutingPolicyChecked: IOe+L7dqvTUdw4/nPeqzZrYKOJ+6OjqgORIs/RVj/zNEUzQg/z3KRRfgr8iy6wCZT/CBcA+4lde/vwDaOicC/YNgEBnaW70so4uxH1KWJYQugL1Jr0uAVW4GWc8/N8roRwuS29F+PZkn6Nj5xDKJeDce8k+xRQpQocYQ2+Njf2Zq+w4kt0wvfDll8ceoSjdEk10+rlLiQ7rBMyq3xMNGGH8PTsFzNApyLUEoWEfCgPlpSjgXY6ECYSh7caPCeU7TbfaaG2kWlUuMBfVYmlLUS6dV+/O34JmyJZ3Jg5QtMKlkKqKEep71922zEowB79u0zSy/ZoUWVxrAGkVAaPRJJQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 1uZZyaYpZwoGQBJL3+b6D1IERvUOzjeiydyfus1qJNVwyjc/kv3t1A3Ds5QJkslM8TT/MC4X/tUFFjpi4jl69exLCQrSt4FjTW/GUtx8tVFSN7JNtoz+/t6MMMvxLnAK8/29Uiv7kGekyYLn/ZBJDyVzTOfnUO7d78M9VIIG5QC8i7MyFo4Fgi2q5L9rVJ/pmcpvu9GOUyNYskWQcAzb1KolJAiU0rRcQa+FecsVvq4bdUEycIkVfLWOTElPvH5sD2QRLx0pXHGHfhf6Bi043LnROK3K23SoIccCJdyMCzWq15ZJsxG8z9u+iw2P+j9CJdIWsTjPJt5iLdm+QqaRYPmAMuHbsiRJ8rQoWRvbz0MbILe3enpDZxm410cAybTa+11e1K4iakS3sFp2pOCljMvtg4cUI8rvAsqWAGclVbSAHxzfctbacF3smrkYV6jZ4QSHKJUq8sw7j5FI/gmyfO8IRmGIL9g7mhD+Ln7MwiGyL4VUGDfIG6FdKurZhJMNOk8sWp0baEa20iL/xRPzBv8MGBPMGEf+TXOaCC1XffNTvhWjcWoWRsENeGdBNdlupqkCC+OVCBZXXwIm2U53k5J12/ZZkGnp4+dG5eX+VPyZGrwRH8hmaLthhR58yxc5 X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 02384f97-aaa0-4a89-c1de-08deb647d829 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:41.9418 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: kbdOThJ3+p8lab5NSHNijLFFBBsT4T6SLjDQMUH3b1N0y+y8CpldR6LscG8L2S/tFc3QXNJff8WRskCSpQh91A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4P192MB2472 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate22-hz1 with 4gL48T2v8zz2Bdl0 X-cloud-security-connect: mail-norwayeastazon11023134.outbound.protection.outlook.com[40.107.159.134], TLS=1, IP=40.107.159.134 X-cloud-security-Digest: 27e3e6f74cf0db4885abb81c4d12ab1b X-cloud-security: scantime:1.771 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:01 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237395 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca [2] https://security-tracker.debian.org/tracker/CVE-2026-42015 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-42015.patch | 50 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch new file mode 100644 index 0000000000..dfc3506ccc --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch @@ -0,0 +1,50 @@ +From 264da2a72033ed8890105231e5d36263d403ca60 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 20 Apr 2026 22:42:20 +0200 +Subject: [PATCH] x509/pkcs12_bag: fix off-by-one in bag element bounds check + +Appending elements to a PKCS#12 bag had a bounds check that +prevented adding the 32nd element. +On the other hand, it is possible to import one that already has 32. +Subsequent appending then led to writing past the 32-element array, +smashing its length. + +Tighten the check to reject any bag with 32 or more elements. + +We'll treat this vulnerability as a Low due to how contrived +the requirements are: for the code to be vulnerable, +it needs to append to an imported untrusted unencrypted PKCS#12 structure. + +Reported-by: Zou Dikai +Fixes: #1840 +Fixes: CVE-2026-42015 +Fixes: GNUTLS-SA-2026-04-29-11 +CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H +Severity: Low + +CVE: CVE-2026-42015 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/x509/pkcs12_bag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c +index 911aeff93..38228613c 100644 +--- a/lib/x509/pkcs12_bag.c ++++ b/lib/x509/pkcs12_bag.c +@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag, + return GNUTLS_E_INVALID_REQUEST; + } + +- if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { ++ if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) { + gnutls_assert(); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 69f90a3c01..20946c1030 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-33845-pre.patch \ file://CVE-2026-33845.patch \ file://CVE-2026-3833.patch \ + file://CVE-2026-42015.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:14:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5539ACD4F54 for ; Wed, 20 May 2026 08:15:11 +0000 (UTC) Received: from mx-relay22-hz1-if1.hornetsecurity.com (mx-relay22-hz1-if1.hornetsecurity.com [94.100.128.32]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7306.1779264904977767612 for ; Wed, 20 May 2026 01:15:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=ZJ90YVL2; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.32, mailfrom: hsimeliere@witekio.com) Received: from mail-norwayeastazon11023134.outbound.protection.outlook.com ([40.107.159.134]) by mx-gate22-hz1; Wed, 20 May 2026 10:15:02 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RBdCoXRiJMV5qVk+ZFaZiIZCIewt8soTN3hWQE7RF+ByV6cHJTZDw9vpUeHEA1MGRaMRpwx9bBbV/yXyp7e+CzUO6pz5lgJuh49NSUQ9s9Lu9OIcmNmVwu3QvdqjWF5L76rZE/6wR1QZA6OYB6Nge0eBztks9Tm/Ku2/u99l/ZzfC1oHuz/dgJ3uF/YDnO6ZCnLEcRn9xt+IHYAeFY3Zg6yWYOGwZ31IZv69PtXfopqTTctUdHHm0nubpFAPlcQ27B+Wkq30rbrJwyXXWQqCeeidlj1x5XhIU2KGREh/PhAs70PZHTT5o/ywxMahcVl/XfdySwIHCqIpKuYqP8LbAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3usLVmIbIYz55DBIKsuAanuSZYqtOtw/FOgv1Bx0b4s=; b=UY6oYIyoJ4B0I1ImJtBAqkjzAC1CzuI596/di+z1Wxy/PplI8cfDks6XGXPLGRoaTyj8CHs/75WXt3vzg37HO4ZwrlAA/4Dtw0xYGdgbDhLPoogRVFJnPB5dzONdvEQ+EX63ccGu+dVsuTqgakVAB3bibf/Oq7J6kmL8EbHpQsYd8ZpZTXdFVFXfqKHXkeHIC6azQNOAlVOJLkpjYcn0OsUDGW339vkxA2/WdXPTkUUoabMjl09MsE/Vr1fvxSlgt3n2sK8uFFY3XvetSe/I6UIWaB+QL2lYHxQYTM0KmCmSjGy5Wo9zZw8RGnUJsJw+jI8xEU72v5WUtGWfA7Kdcg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3usLVmIbIYz55DBIKsuAanuSZYqtOtw/FOgv1Bx0b4s=; b=ZJ90YVL23MLlClzITdaEWJKEaDcHs4t9Xctm9ycvFvSMjPeMEaMuVjrGpgdbqvlJk2/7ikYgxOUmDrjZ12FDqqA7rhDPrTY27UCZ1fMjHYAsDBnvvFgTsfez3sckLtAMxP8g7qFF+Hr3zBSU4MzqIad1ZcqmJYFyjduIo4FjDw7NXagvWoPR1YB8lckx2RYZMcOKAF5KVurz5mrLnsxtKIy3tPL8qPKIqb+kHSa5cT49UkT/r7h1TCjowXvcqKKyG4FBt+TW59ZT0ULU8vW2mZmqK/rALeZWKDQvK7x8/QlM5ATqh4/u2RSwBkfk5uJGCw+gmc66P4JRxTREu9Wyeg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DU4P192MB2472.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:573::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:14:43 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:43 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 5/7] gnutls: Fix CVE-2026-42014 Date: Wed, 20 May 2026 10:14:01 +0200 Message-ID: <20260520081403.3052797-5-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DU4P192MB2472:EE_ X-MS-Office365-Filtering-Correlation-Id: 2ca72af5-2c0f-46e9-8d85-08deb647d929 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|52116014|366016|13003099007|22082099003|56012099003|18002099003|12006099003|25016099003|29003799003; X-Microsoft-Antispam-Message-Info: 9zY9c0AlU1vMj16qEIwUyh0NrgROhG7EXMnWj5iYh9RoZbTR7WOeeDzBpVC4VRPDVqJk5R65pCv4cXMqxEwD4xnQHl/CEh3O3wCBkpZlVMeu00CXXMGR41WdNhRXxZTm+vKIotunqItQhcs8wjt1bfFpyrG3yuLGzEA6amfx+bTWy5zugDfn+2ArBJXzbek2xZ4nDbCZ0BXvRi60LNRA4WFtiLZMaRBb0oTCySTRlzN62XzkLCJkWdWmSsuIjIzyrO3Xg7RTxtpxxWFX4Ui8aWcpMzyt7Jtl4tQ/q3yz/b3QM9zinS4D5epfW42i/HReoxB9F/XM9ZfFJVif36ImONTzh8R7K2FXmr9vKEZs/H37fQqicxa2yDUckvXQVuoMxSJthX7Vkw5lI/UN+bpUkdrw6C/HskZ3k03XXGjKBxd+xeRbOrc4l6pXvDsUL5AgDTt7NadEGgu5nVk6uwzz9PBGEF4zQ3oS3ALc0qjzkc6T0gi5u0qdoYzpmqCbh7Oavm/Ahxeb7PqmzYgbCDKFMMyJ0Lb5WUUiXz0kO3D5+l33rtZR551K6n+Fuv7JZ2PMFZzmZV6Phh534bylwFj0Gb7HP5Op/+0pYrqBFXKY/e8cExXhmwi1fEqDMFvfGRnA1XTRwgrDSACp7lRs6WNh9rUVy32MBW3iMf6T21vuHWh35wqNfTbV4xxBJB+CeAo5 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(52116014)(366016)(13003099007)(22082099003)(56012099003)(18002099003)(12006099003)(25016099003)(29003799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: RpeWP0Ji0iXw5RWqKFsE6DuKI38C5fQudyqjYjezosWPCZ5ZIb5z27Fol5Prefpv/uAerH+9mb4ggU7d63b+AwuZuBVARRy3H5jY1x14txfmWMMlL3M2q7vsiGyGCV5y5uQDNO8pjEBmkQAOpfFI253B7rWnMhQmK5PzbcwQmlwKa/4kcaXj+knhErfZw7S2jpqawZK9B5bA/I19aeee5qnagOohNedUCqUemoIIzW92T6hv4aYCcAU9KkLct1BJiwYGcHJd6IxPAg4BXIY+TYJr15MBJW3KVfNodHSGd5kDdrDXqssva8NQA4qOEI7J2bEFyhYyrVoQzKz+tWp9HvKoaayDZaAmd/lEiWBOXtJAaaoLw1Pg/hwh+tyrTMFamRRInCOF/QSo4dXytPERgUAyOqBUBItVU4Rt6dU6GfnbiW7UP79ljdTGYA7H/vPdCJHRYjp0shozNYFFxsO5/FMrWSvRsYS/IQU+PLqBdd8iYKBUDgHCUucTzVI6JfcqnAq0d04DXLRQMALmuHzh/jpluRQE2uatPxXH0GdfP/aiTPTXF765ABAKZ4b4PyG7WZ1PhHb4O+njaEkRHL/6dvAOhQeVupeBPSrwY4oztakd4koCBJKye6XJ3gaNeYGKCbVtYgBNe234MnA+5EaINlGx23ZfxN6QJT7Wg199ekMJKO87qqt0z2oVEFm2qxko9IqA8s7WnLkd1zmgolCljhUSLdmrxqfvjpe02zdIuJ7WXpiKhK833okxnPvoVCmJkyXqTJXoTbojpD3QhdSLVWK3X3Z9fzyd9Itu/vwFEDiz4ZZ9h9QzK4y8Q9vlBmTIO1fmBpL8WKaiXSIgA7zjel3EbV+Pv2EaG85mJ3AVWXwpBbgUxIvZGZ/n7h42MSm5L3a4FHqOhwIi2b3iE9ezxE2aJVHF3ObKzqb/T8bdQlKU4ltDr/aTbTWtmYmOQw032JSZZ8oQ0omv8fT+8N1WerrONwkJub3huVYZTfr03jjBqQEYNpIQIjANBk5Hvrpa7Zqanp+w9f11IfDwumOtcfgqVdoXFVU8X0Q5uqYnTOeV+lVKPmL5Z76Nv1h1H7f4uUgdNfoRoQ5ttXayVhdJjfy/62CMW79TEc3zKoqK2Q7u5V2p8Z1lWRkBZ/CvrKK29awYRgj2TAryhXWfkuLiy7L9xv6B6KPbnSngIuKTRZ2BgcPqFhBdrHxrrsBpcUDCAwLnL9etT6g1gF6dwIJKjRMO35gw2vjPPX6Qs90PkKdQo6MbmoV8MFqTQ8LCh1nlyNl9SNcm2+ORwIkH4aKAjR4stDOIvFLCg488O0UXBHrXYXqDgSj+JBYy+7qyr/UO36/59b3Wem6Q6wdKBkqIVKsB4iATIzw/lCyZdszEbRMAddpY81iV3VBISe703Hx/oh6VrHuQkzKmjn/nHSlUZbhxi2RYOaKyi3A5j9ll10QpjqUAG9lbgwMJ3LZQRd1Raop/H/6LefOgarwGqxQ9L85o6kyX8qei8Ut3Of0yX9/J2eLmBntW8C+eKLQdH3uRJlSWmpiVkTjrY1UYGVwgZFBK53ilddv5RzBPsLQg/zvEDe5ipYoaO/9hKpisZFySA8QQr2e68RYE4P9dAp3VhaA2uz1NC1YYZEtPWFrUsE0gJ4LBhHOrlTAkNX70xVWG8JexR0c42VS3NkxWh6Akl0ceRGNh01ankZCeFbIvXbpVHrASMpWkFA+9O1u6yzrMznCZFGtCP8SJcKb+iqd0oKs/smQ/Fc+sFN5kzKJ6a5kz1s0HIfylN9S5u29wozE5kuP9XXlU X-MS-Exchange-AntiSpam-MessageData-1: sfQB+yrc3SdVwg== X-Exchange-RoutingPolicyChecked: eN8NP96Ym2tWnaGYxJODoxP+YqXjakwhFklmhKqc2NlAL5t7QO5oeTN+94g+VLMtAqGNOHaPKoO2BnbuwHd2XCX7Oj4WWFYeyw42SJXFIxJyMwvrIF6bTTSe+KrGiL3UgHJt2geByE5aPFFU+YrBJ861TmyCKJ3di9uZustrDNujlYVZlmm2x3Jyz6TeDC5lpV355Fj2l7B9f41A7GsMexdEbdBWxAifpJNpDXiwqrEPsY9lXxtOq6w9BebQ6nX4XI4kQVTbUvoQrCgY/nLVrrtUJPJj3Cv1PlLa5gDtvCzRhtAhb9CN/diZZ0pkm5hQU9N82pjiBVTRvoy9bdEzVw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 69Lhyd7enXn1HlwTfwjNMiRu2PL4dkdeM0egYEKYHkUkdMGLVQ3MqoNm52hMk1vzvFCdTFgCS0VWZGL7jNf0kFOWL0bWwwp+fiL6ZIj1igYBw35vV2OpdTKc5erS56sxR+WIXexzHKzvar5649wFCKm/BSFdTizIK0ffohO6lCeWwp/ILdIXIHJ/4cqWBUTpHtO3BcvZFPbZZ/TTWIHWVGVYUNjaHGQmOtvaPRwujotQujhVOcd78ngRvM8pzBp4667hh6vizmc2Jd18ZrEwIZ54bplj4Cq8DH1abt9HlLXF2BsbOBws5zfThNNl6kNZ8gxmJP1lzFoEfdzu5ljw4vaTbaUgjHQunDW32kniQStZ5v64vC9uxQ3sYnFnXLXxODWMS8UkaXkholAlaiqBXGJbvXQ1qi+HmeHz5US3HRLzaESUqn17qyAW3ITVm2C7QZTaMK56ghPZcwbiieyfhfgDiYMf9dQ7f5RWv6+L/jPFnJhaFq83qeVHj24O7/lolJsqG3Hqf0dfd1kwjYSLJLokp1zmue5G0klRgdOgMbRvPNhaZdyu6pI9AUkRIwubek3bvL5eMOD6iJMnshtYbRLmx3rIq1v17NKN9ZpPjdgs2IB4Rdby4vQSrTQsm6/C X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ca72af5-2c0f-46e9-8d85-08deb647d929 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:43.6132 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T7gHECTc23ySi4J7HgkWJbiPrfzQAOXf6Bn3h+OqKUHNhO2fClf+oPVX9qd+D+gSlRmlDF9fNl1OLAneH5sTSg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4P192MB2472 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate22-hz1 with 4gL48c28WBz2Bdvm X-cloud-security-connect: mail-norwayeastazon11023134.outbound.protection.outlook.com[40.107.159.134], TLS=1, IP=40.107.159.134 X-cloud-security-Digest: 0b7ae71439da6be8eff2eb65789e915c X-cloud-security: scantime:1.676 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237397 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701 [2] https://security-tracker.debian.org/tracker/CVE-2026-42014 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-42014.patch | 67 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch new file mode 100644 index 0000000000..ceaf05bf1e --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch @@ -0,0 +1,67 @@ +From b48f025e58763f3975e5d65d698df27a5211bc51 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Wed, 18 Mar 2026 18:19:06 +0100 +Subject: [PATCH] pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin + +Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with +oldpin == NULL for a token that lacks a protected authentication path +led to a use-after-free. + +Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team +Fixes: #1766 +Fixes: #1809 +Fixes: CVE-2026-42014 +Fixes: GNUTLS-SA-2026-04-29-9 +CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + +CVE: CVE-2026-42014 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit 3957f136e2ed23caf176a594b54b3827f5cef701) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/pkcs11_write.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c +index 961e1b9d8..9fe571ea2 100644 +--- a/lib/pkcs11_write.c ++++ b/lib/pkcs11_write.c +@@ -1267,10 +1267,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + ses_flags = SESSION_WRITE | SESSION_LOGIN; + + ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags); +- p11_kit_uri_free(info); +- + if (ret < 0) { + gnutls_assert(); ++ p11_kit_uri_free(info); + return ret; + } + +@@ -1291,9 +1290,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + oldpin_size = L(oldpin); + + if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) { +- if (newpin == NULL) +- return gnutls_assert_val( ++ if (newpin == NULL) { ++ ret = gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); ++ goto finish; ++ } + + if (oldpin == NULL) { + struct pin_info_st pin_info; +@@ -1325,6 +1326,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + ret = 0; + + finish: ++ p11_kit_uri_free(info); + pkcs11_close_session(&sinfo); + return ret; + } +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 20946c1030..dc8e28c99b 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-33845.patch \ file://CVE-2026-3833.patch \ file://CVE-2026-42015.patch \ + file://CVE-2026-42014.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:14:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56EC2CD4F3C for ; Wed, 20 May 2026 08:15:21 +0000 (UTC) Received: from mx-relay22-hz1-if1.hornetsecurity.com (mx-relay22-hz1-if1.hornetsecurity.com [94.100.128.32]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.7308.1779264912241215128 for ; Wed, 20 May 2026 01:15:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=QkpAjmWv; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.32, mailfrom: hsimeliere@witekio.com) Received: from mail-norwayeastazon11023134.outbound.protection.outlook.com ([40.107.159.134]) by mx-gate22-hz1; Wed, 20 May 2026 10:15:10 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=jOp0f0yt4pL9PzV+b211c6oirQKyGok8F4jxgxF7W2HIbLwus3rFAvELZbNQ9X02wqTLxk1BxVOuHEgvZZ1EUkvjBN3tPuwCtfZrvaGmtfg4+aNMO7JQsdqgTD1SBFJ7hw/JapiBhlP0bC/RQKimH7Ae2I5T/Huz0Q+oeFrU0ZMu9cg0CKTMbbMNqykIb2g08xYCNFMVV/vPUUU+jXj5cpW7FXA1QKEB83z7PMLgxaKAQNYc7hlCtfPdbl/iM12kJb5vlTg3Uklzc+SBVUyjat59MpgF2DQLHZgN9C51JwEFeto/rGbkE8bE3m0qxZhDRBdyZUa9bOGQ8iz1DfVEFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QqgYuSnR+cQFV2k2ab0NGsi7zOz5Sy+LRpczB7bXhs8=; b=FDFxRdL5cFvpmdMmuHRwrRLMTOVI6twKQcgUTF0ycjWUwxNwoJC/EQ5QH7nmJZmdK7C6pOgsnUfo8g0Tku7P07MheLYE6oLBr84BMJeLXwuf+GwRE75CDvNasygEd6t09uEN1Q+9i7B870hKXQJ709GgVcT2fmILRucnc6P6415BXNPiwixl30ZlBXJwnJZrTZNJbW/JwuDs71JrzwBWhX0kJr15gDFs8gJuKM4YBP+oEVr5O6ADOLMgteKPqHeDMVM4FJfZL+GlrFRKKU4TbRwsYy4iNwxHJ0J4bniYAA2uhDPWAKQDK2z8kkwaBElPisBfm5pcfO3bU9pQahR4Bg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QqgYuSnR+cQFV2k2ab0NGsi7zOz5Sy+LRpczB7bXhs8=; b=QkpAjmWvIRrgtsAiElL1ngccuY08c6/7zZhyRsq1lwrmdTcBky1a9uho/SoCInycrcYryDfke6rrygE2Mv8XLClPk0CB/lCWUR05bWSQ+TkmklGdM+r0dICkljcWjdQC73Auyk2dIfHweFiCB7xjF9xBHwZLv7tMUF2U3/sIqlbLO4s6Zh5SBGstwZo3sNkpj+wLL973aU43mQkYvvTVjuMsH0348V9D1ERHvzG+LW3jMUV1KWZ9n2AtHXELMf2SVnrtjaFJzPZuDurwwXlc7EznQZGbqa3MLTwXsX5WDl2RiO1F88i0UJqR13Wxq2dMx2FFpEuPtcreZckJIh8i3A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DU4P192MB2472.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:573::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.14; Wed, 20 May 2026 08:14:45 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:45 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 6/7] gnutls: Fix CVE-2026-42010 Date: Wed, 20 May 2026 10:14:02 +0200 Message-ID: <20260520081403.3052797-6-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DU4P192MB2472:EE_ X-MS-Office365-Filtering-Correlation-Id: d62bfdca-3495-4202-7374-08deb647d9f0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|10070799003|376014|52116014|366016|13003099007|22082099003|56012099003|18002099003|12006099003|25016099003|29003799003; X-Microsoft-Antispam-Message-Info: 828DH/VXtkrSpDJX/MxFkMh7sgC5nQdKtgItOaxUWIxHzBNW5ewgOLJXZ/tZC41fDasPepkHhfwk6D1+aIhbqBdig4ykaU0Oo38Buxn0xX/dPRyI4xUgS/GDw0r9CjtKey0iLavhPy8+480kkKQMbtIQywPMdmVeSXQ5cKIM2yfpP+DdWhnR+1zkK3Wy9vJMVPf+WUS612Bhg9h/koAky4YvGlZB1di9QQcZxVUlLcJ9MedWZ5iH34Z9H2X1HChR4yX+60A2Wql7hP+sSO/1p+C501Brhy+aGbbWdnErUffl1MiQ5Xj4y7BZMRM6DG3dC3uhPf2zqYXTbjxejFTkZH4XXGfBP3PxM63Bfz5pPENXYtz41/MXsp42JOTQCH+JhpUlqQUJtN4WMfiXesBk4FaiA1aBL9IptFhNRWt6GgsCquyLNa0XuiNDDwZJhOyMZek7cy6gzxv7r4jPBUHYKiE7uvaZpRjNJmzVjrFlTmxBL+NXXmPntdkz3uc7C4Woe5lS8kTLG9BgLrXP6tk7BBFA5ufwyQiCYHKAFb/XZt2yrlGUdthr+UL0O6Tm/6SIDOwYDFHDqBi9vT2p/lf+1RSHylDPRjW2jp2ecl+hnYNg9J0dMPB+KATVfNzqtDU2i8HVVpr4QN+f4cT1NHvUu26IsebtRxAgupWO5rx66p/XBYGEduRwfiNHmT4kjAal X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(10070799003)(376014)(52116014)(366016)(13003099007)(22082099003)(56012099003)(18002099003)(12006099003)(25016099003)(29003799003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: MI+K5CV5JgTxPDbK+6+QIE1VqABurrJE3hz5qQ86nPsMjWkGvc3hlfAsPK9bulzcycJ795sFFs5Ht+GCCN7YFTPzfed3gt4GMEJyfbC9dKi//b9qTCivvNqnkx7ta3HI0tXV2S9IASYLfo8AUtpxADMgnA9bSvo16SrZBbHfdOxsIfpMSvAHE4os6qHAxlV3TfLFwYb9iFm5aY6hLHidTQ9ZjXSUNEueowdiJVWQOwskntNRdhe3MQEHNfQK9VXfPUsMCoSkYBhNLynjtv7blTlQ/fjqCqH9XGqS3z7q+FDWhTV9fNOr9PaXu0wBJFeLa1/2xNCRh0DLxGg8kNR9cAc+0o+uQSZQ1LZvcT/hiHLAw7NEBHhMxqaTcLY6kWml1kKhHZJH+zQiEfhA6y3zpL4zN919U2ixCg+5HOWE4tpcUV5xLQsG36up361n+sWlhSk+YGEZNceMCeG+sG7zbAGgSSMdQ+1+h34ITdIo2OZmVfusGVHAXsLsRykta8/dX1s8Ehi1aIKTgFQXvE00PSaK8A1e7CHoYySFtH4BthMUAtGQzDuscVPwvbkRrQmL/Qf17LlQaN/KbqFvFJ/Roe2basiMi5pyegIlRYrEEaf5vnrXoBcuqxJWx52p0d592Mgo8OFRB3f2TP59OL1CwgoB4AC3lMl63TPNYSw6yMBnv+j8m9zxAZOGLCQ+pfShE2qb4xbv9cc1OyBIiqQAvYmm1JHnOPA8R/EM9GluYkp44OmhcdPYSnhrX/QPEFGsGGdusUZPgFS/xvp7Vd6rlFRERq/xm2bga4Ka1rFDSB/5yX2Rj52YoeGlK3RgjWZezjFHtHT9oXiYsEhXt6vFPTxzRbsijO1JjUu6WNf18vqtcSfjM/WgQV/6HJOF6VJ+hMfPE0IEUTrPyGX83GNBhNKYiDKB3nobf6jTUSIQ5YdJ6Bnm9Tr53szZ15CE51cbQN6vDGJ+6ZWNGmWqhmIaFVvjIzJs796+xRJcFn14gI1YyuPIsWwR9ispsDxCg/KEY7ACgQ9vP4qzQRIj62ZlfNI53ykVeB2Pd8PclUFROTnfrXgzVKKvzEOemwImPfKcjH/3VW+oecHU3nHhAk257x8XZmsZH+LRILYVqenhzyJf9dJhPWyG780epfa018JaJxVntPGj1CePWyMIF0dwI5xTyP3Lj8Mxx0XpiIja8zzYXv5dPaiaMejTCGdpdoNm3KcTyy5QO7KcbXpg2dLFcT2iZ+KL8v4Vubs5EIfQ6SUK/5KcpJtch+w2obWgpBysJZyyNPOn+KGVoI2fX+MI5vqh4Le9ztXsbxKhvR7RAIVh1DPlU0MHoEI+w2AP+vHEfQNOhDMbgjI4fgXT7C2cZ/VN0358Fx56hIAmIyzSL2Sf1jLQMNavk/4fF2cgMHZQAD67akMkHfdQpXx13LSh8JRiwAAlhKhPrzd+5a/Y2bYqXfdDOu2xoz5SrVg/V1K+wFpNotpT/6sBhkSGYMCRHPmWsnY9yPmhsMtMugmdKqM2H8Gt2jt/1dDWUOHOELK4dktHSVrVgBW6nGUsACgiDbQXYHP9RkgJGdKNjBN2PMmT7djKPrSTt6ZPkovQIvCVizHNi89Gz09kHziAYSsJh9C9MCZDl2nJxl0jhndYY1pZ7kYJcdOE08W6vXTLwnwJ7zg9oHL6sMXqxUxTFZS8qBFz6mNdlac/RYwJlWDFsl8C4MpYOPKqnUxLBh50y83HB6jUt647CKRC4IwUnMFbltn9LAywTJSG5ckZUaTbRRCX6STjK1BGkTgynIL9OSxeLOqILOXS X-MS-Exchange-AntiSpam-MessageData-1: xn8KPjvYXYH1Vg== X-Exchange-RoutingPolicyChecked: UNy4ZdVxYR5il44mddHM0QfCUvAdmPptpoG1iyJbdw2EF2mbh76JKeSioo0/JreN5epr1bWYAxQ0sdwTLO7Q+ZVEOpoSFaK9Q1+nepYL/Gas7KQeJf58w+ac4+53oVPv5Q1efZiBRVaxJCUs06Q2jSp8LVrNSC8XAIVDHzVu+Cdq/H675W95rII8dgjcdQmkXtv5T0Fr9GkuAQDLXImMkEOnQsvaux4Fd0sf3ujNLZbeW3U18vtEX4ObIlsTwGJ+fnc7Kr5AyzlWznRBB3/2tzwFmMmoJCWqZ6F8ffgGMXMZaL2s1Du/dCtFOmY6tatqqevfK+XgyqgAXAJz6zZxsg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Uy8UxkCWaninqLvEj05bWE2S/FhGBHYpqC+QlcGFdeoszrgjaolZkmnPdRr7cpASl/lRLPLtzSjtWboIdPSkGSRrXQbL4IIQ6qMZ8VGZHQzT7+PknTj46JUskIJG6EsJrRj+5x7oDo/Ybi55/VFC+li7rlakozcN0qSKc6uV1xcSUhZjwogj0DRWU+QLFJ56lHhl9zcGw/ySS1LfE+2pCh8kS+OrZWuFIbKPhZp+e7Wq+MUGbJrjOxDqw1BJrE2PJwU+QnKAqDQCJJ60BdKkBVqzJg/hRw7GE/33IIOIjRoGTfwO58nueh0FiGcVug94lEhAsQf06LhluUY+ePMODMlJNXdm9N4FUsZudNxjkXr3p+qrbS3PUiWbb7uDBOCl1wg14li1ZknON7WnKTJk03oY/6gmCRsn1jUYZtN0Z15l3Nhg9FNZcZJVJ6F/6tz916tGUxkpMeFRJP5deFr2nDXUKcEL/rEg4ACzMnZdwINsAULYZH66fxwtIEmMad0f8fk1bj4L0mecuWQsaMXJOzJrVkBQsqkgelSGlRqIjFGxPap4oz3KveHQ8nPlfu0anlQ/VAGHlniR9sDasF2+/n3TWD/Ie7pcy6nUe3Ui9z1pjvlWqwmf49m12mZKhLbt X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: d62bfdca-3495-4202-7374-08deb647d9f0 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:44.9168 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: tCDOWUxPf1eePAHCrs7R6Vq0a5OjGOOAORNcEv6UmXV3YXghHcLNdvDn0+2RJRp7+c8RoAYtTmGd6tiE1Nuk5A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU4P192MB2472 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate22-hz1 with 4gL48l6JwVz2BcqS X-cloud-security-connect: mail-norwayeastazon11023134.outbound.protection.outlook.com[40.107.159.134], TLS=1, IP=40.107.159.134 X-cloud-security-Digest: d1d73ca04344f7e4c727bda2b7bcbc15 X-cloud-security: scantime:1.689 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:21 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237398 From: "Hugo SIMELIERE (Schneider Electric)" Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5 [2] https://security-tracker.debian.org/tracker/CVE-2026-42010 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-42010.patch | 42 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch new file mode 100644 index 0000000000..59454cefe7 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42010.patch @@ -0,0 +1,42 @@ +From 590f730b1cd35202bb372480e6a0ac0c3d31933e Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Tue, 21 Apr 2026 19:26:10 +0200 +Subject: [PATCH] lib/auth/rsa_psk: fix binary PSK identity lookup + +A server looking up PSK username with a NUL-character in it +was wrongfully matching username truncated at a NUL-character. +Fix the check to compare up to the full username length. + +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1850 +Fixes: CVE-2026-42010 +Fixes: GNUTLS-SA-2026-04-29-4 +CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N + +CVE: CVE-2026-42010 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit cb1833afd9b6309563211b1c0a7c291f52ca98d5) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/auth/rsa_psk.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +index 399fb4da1..a14de467a 100644 +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -321,8 +321,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, + * filled in if the key is not found. + */ + ret = _gnutls_psk_pwd_find_entry(session, info->username, +- strlen(info->username), &pwd_psk, +- NULL); ++ info->username_len, &pwd_psk, NULL); + if (ret < 0) + return gnutls_assert_val(ret); + +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index dc8e28c99b..0b3abb827c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -50,6 +50,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-3833.patch \ file://CVE-2026-42015.patch \ file://CVE-2026-42014.patch \ + file://CVE-2026-42010.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" From patchwork Wed May 20 08:14:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hugo Simeliere X-Patchwork-Id: 88486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62A00CD5BA4 for ; Wed, 20 May 2026 08:15:11 +0000 (UTC) Received: from mx-relay15-hz1-if1.hornetsecurity.com (mx-relay15-hz1-if1.hornetsecurity.com [94.100.128.25]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.7230.1779264904815130635 for ; Wed, 20 May 2026 01:15:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@witekio.com header.s=selector1 header.b=to1C/BJD; spf=permerror, err=parse error for token &{10 18 spf.hornetsecurity.com}: limit exceeded (domain: witekio.com, ip: 94.100.128.25, mailfrom: hsimeliere@witekio.com) ARC-Authentication-Results: i=2; mx-gate15-hz1.hornetsecurity.com 1; spf=pass reason=mailfrom (ip=52.101.66.116, headerfrom=witekio.com) smtp.mailfrom=witekio.com smtp.helo=duzpr83cu001.outbound.protection.outlook.com; dkim=pass header.d=witekio.com header.s=selector1 header.a=rsa-sha256; dmarc=pass header.from=witekio.com orig.disposition=pass ARC-Message-Signature: a=rsa-sha256; bh=k+e6qa79XuNVCnid60+KQMmMVbcHJLvo9MELHqP2ioY=; c=relaxed/relaxed; d=hornetsecurity.com; h=from:to:date:subject:mime-version:; i=2; s=hse1; t=1779264901; b=pl15lHvdzIg0U2OjbV1Cw4EIP+R9bGcGpGIosYx+/e3HY0mmuplGxh+n9YmtRv198HyBjmYL Ve8qCtwq2j9r/A0xTTH8HWIiNWv68g0YDkp4mTzRLtmGalf76CI6tsn10iVQybCGg/5cNJxkTFv /wDQTTIeDAggSE4msmFXXAHWYLlALm2kHXZxMkHykZAhQg2n7dPkRMlcAhF3ePdXzpr9+I/8aK+ Xc1883JoLMCswd/AFv4ucQCjoUvSyb3WQ3YFZtcQhaLo7k0HKCE8yHylL4kjUaXvG9Y8vCdMgYI U5GDvp3xtX4LbsBoU/+YYSBazsa2fY2vZi2hEDJDl7KMA== ARC-Seal: a=rsa-sha256; cv=pass; d=hornetsecurity.com; i=2; s=hse1; t=1779264901; b=DygRuQcAJKjQYW8jFPxVnKo8KcLjjALW3w2Gzslm7PyAT0zPpqwtMpqAitAnWe9oafMwIbHV Dc4iWBDdpdDwOqFI+ggmZoPL18TLDPJJyACtcZEhYpl28F3/C8I/2cgyY4ZcUJji/Z2Nuz5G3Xj 4+hssNgdudf7x8zJkFjdLTS+D9RQ9ZO31hAzBnusKa1ImaBF9Bv1gI+MzN6itUTO9/mcSlMBXVm oi9ssGJYtiyGxG8M3bRKPd+SH23qG1OqjH/si4qRjz4DW5gi7MGNI59hF3QY3Urz1Ocau16sS/R iHjxiuKXVf6R7Qj2JblHzmLp9iCRogA+N2PA0QdJMkeCQ== Received: from mail-northeuropeazon11022116.outbound.protection.outlook.com ([52.101.66.116]) by mx-gate15-hz1; Wed, 20 May 2026 10:15:01 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NbZEfAYtgAlxCH4RGG78DK0PEVErgDjG17hBPK3F2V4do7VyflCdQ/cVvE3ZmfP0/uT5ntBUpdaMl/ZcIwioc3DoEKNa/7yVQl/IEIJrY+rTMcwnAY/wp5kHcGhEbb/idbcVt09UiLUzadjruzguni0bowbYdsuGTdPaIPnpaeJG1cveGEUa4adI3AGe2RPYiE5Hwgx/jVwrJqGNFzJQLH96101VULg2uH1+pbBRn+zbSD9aleSp7UNBLUe/f20aIKTt9d5JsiyX6HCWmRxCgfd3Rwau3zXcWi2jHd8PV7bqMz11MW5TlHd1NaHT9WzYjCUsjtwt9wUf5mTUrTNPVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=k+e6qa79XuNVCnid60+KQMmMVbcHJLvo9MELHqP2ioY=; b=E3VFxbUY/ERERiRnY6Pqz25uYjMS5sUcLcCzkbS9oIx0KrECmBmo398rkJLqvkGqtEEFBIFcc8+rQuwZwsDArajqXVn7L/mUeGzObPNrn3FIs18pZLp1/ts7SGApETdPqXIsdUuLMa9E8poYeHFGh4gUryjaJlNy/8Sf94efwEjsj3NTrfw72jpnaVe1Zydl285+rBLMgdz02gkJRDQLUNA+8W14eO8N/VsnLFpmNU9G1JQsnm8XwgDMpMIWsgqUZQlpAN/AMfaiVArPJzikpsYAV/g3yrmpvksoQw29jvQeIxzqHFnyK3CMPJaSROLnB+wRLJXOfsTL3tCIVI2+Zw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=witekio.com; dmarc=pass action=none header.from=witekio.com; dkim=pass header.d=witekio.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=witekio.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k+e6qa79XuNVCnid60+KQMmMVbcHJLvo9MELHqP2ioY=; b=to1C/BJDxeIkJOS830pJXxbCq192aK3fn6EyjHIvsue89eHjQrTxvZlw3lPGfqKFpcZtDDw3euxMRA4vZYnIPfpucMzc64tFa5oOWnzoMoA68ZEd4kvS5C1pieASKuBMDFCt6iLDwZH/9rScUYV7b5HeOZwGjmAol9zs02sEKxoKS9SyEGtS30Y/bD8oNYHfkLo3UNURiKL4IGAQct/OACAA+bg7RB82lK1MtewMSrFbjCXr+2sRQNbCKcVcXaWd/QhnoC4h/xqXwKUYyxWOqdZqlHCu+qQbFqJGVb7eDdGK7Lhb/IepQ8oJ24C+F4Sw0T88gZebVFb0RPYUPREvvQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=witekio.com; Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) by DB3P192MB2129.EURP192.PROD.OUTLOOK.COM (2603:10a6:10:439::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.24; Wed, 20 May 2026 08:14:47 +0000 Received: from MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4]) by MRWP192MB3504.EURP192.PROD.OUTLOOK.COM ([fe80::e437:672a:5abc:a0f4%6]) with mapi id 15.21.0025.020; Wed, 20 May 2026 08:14:47 +0000 From: hsimeliere.opensource@witekio.com To: openembedded-core@lists.openembedded.org Cc: "Hugo SIMELIERE (Schneider Electric)" , Bruno VERNAY Subject: [OE-core][scarthgap][PATCH 7/7] gnutls: Fix CVE-2026-5260 Date: Wed, 20 May 2026 10:14:03 +0200 Message-ID: <20260520081403.3052797-7-hsimeliere.opensource@witekio.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> References: <20260520081403.3052797-1-hsimeliere.opensource@witekio.com> X-ClientProxiedBy: PA7P264CA0410.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:39b::22) To MRWP192MB3504.EURP192.PROD.OUTLOOK.COM (2603:10a6:501:87::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MRWP192MB3504:EE_|DB3P192MB2129:EE_ X-MS-Office365-Filtering-Correlation-Id: 5b0ead1c-6779-440f-bfc3-08deb647db58 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|1800799024|366016|376014|52116014|29003799003|13003099007|56012099003|22082099003|12006099003|25016099003|18002099003; X-Microsoft-Antispam-Message-Info: fTkKaveeMFFJcftjcwEL2zq/mexvn7E9qY4JmyznHsNDC9Ut14fVjif7eYeiKD8RQSc+f8PfDU4dwbUrzgol4Hg/xfeCOJOt2daU84cyBnOj5DigI6CSJbp/6Le4w+NiGWKrZyZ6vMVi7TmvZzFbkHZzOhjz0p07tUWV2RLxUEl62mb8JFOnUs5Llz47js0Yj6u5SCZhalv7kovCpeOFurVU9ucxXVJfcS7/N/BTh5/UEBGtbfhn+PLS2yhR7nfJCrQ2tYMk3tlndYnrIWM05k8lDPvJqO/ehHq+gM3cwVc5rusdh6oH/rUOIwCCqizDft405XoLtqsv4UO60laxJYmWGkQd8eUUur7CasFjkqWJ8lUTjXH4Nv3XSN4qzs4G5XrwQOS0OzMFcL2KBJtdR2FOIIpAwQlYCvwTUYPXOP9eV67+KgqRfa3JCvHmE44CmjfpfLj+COR0Ni8RD/LBazCYhE5z7g3eC9n38dhyCRv761yg5DA7xB/Ij2IWmNvtQGvPaZwdvYWQSWo/jKzMHnWPKALyOR6V0fYXi6u79i4VDsY6QZKxYunLHJkXBfuSGjYxiMNGnKx1v78Ow/pYGS4HQGv4M7zddIVp0KtxnY4vayZQiewHTBY+nVIBj2tmb/3ebeCy8O4usL2TJHieazB6qYHO/YZQRc94HzBNFy8doVRxsr6inH7kwo7kdJJ0GYVuSiNhxnKrM10djflLMw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MRWP192MB3504.EURP192.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(366016)(376014)(52116014)(29003799003)(13003099007)(56012099003)(22082099003)(12006099003)(25016099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: 6gymmpKSVqoDrY7aSunBKGAeST//LPU7mIGbUpBSsczr9iGl5sjkvU2mcOHcpe/ThMYvDgec75HuQzDR3PHtq/eR2/ySwFau41WYP+x7NfmuZNwi9ZxnRK2ZvJlaXnO3NY1tlbnuGIQIdyZdbzmAku91ErdzptRN7rDHy4RN7yxs71+eHzBybqSI4xzjZRvTmcwYsKBK/6TcljRui65KN2vZ/csVSSfLsuj4N6vLOhrNSOo2eoM/FdOLSJ1tX12AaJ3K8HNAz+HEF2frPv1uNSWK3OtI2LDAwY16FwBrPwdQIsE+vUdDLFbWXQ6VqUr+dHSq+a9nN4nQj1wDdDBPblXTKNp6+jhWdH5Mhp/xEq2Hl1Ff/8RQxVQ4IhigWU4h5+NoCEyS0Q+SrRGRH3J0TK2M9VutMaB1iLhGoJny0mMmpt9hMqSOJbogerZ3QMiJKfAxNLuutmlOtZ1TQazPB4hK05H3aadyx/95d9aZDCR0BDATzS0R7k/yrJzpiXTKO6gFmLHj/Vh8UO8SrB8lMwlgb2oerfueSja1y4NUNQ4l1rAq49a3uzb14/XZTFGlHykpFFmDKwgL2V8yki244T0qLPStsxPRI4PiTgltly8YljNg2weyNFNMEFw7dQlDmyAATRJybGHwt/bab7LyuHRuUcb9etFdnGbrewXhqo8UQuk9dTVtr8/OWQwMFJ8QmWwk7hbmCO14t/gl+zU/dyOz0IhKpmg6pzRnQBuMa3ls4fMyS5l8optaK9QYSv0QPrjoZIMGA5WyKTIS9LYxiMukm+HKZAoPZ48x+E1GvHI7p0zQ5Kgljr0BLWT7Z9+0WLabr4kXMeGMk0TbotNADuIoXSxdcylvzE+Rj8efYGNoE+hFx0SbAaFS6dbncu467vtFKhHwB3IXcWTrCTCQoSk5I1vQNEd27PG13vAB8wDK3qCxLMRdPvBIntKXY6A7f5hLS62kxcOrH3EIMB9FJfdO6g5l5ciuv4LyQgwahFHNnyaau4oFOSGGaxK7kYRjH+YFJs3pMmK5II3D/sKcyY3zKYvdJYPrbhtJCWzVwh7rk8XuNsoKa2AdR5ybS/YbY+aoYzG9Qn3v/+i8UQRYAz5slVc9CIAwu6uUffy2rjlVlgSL1x8TKYOyobyxoXjJ2Q1z+EHEep00eUS6u3mMcpHoLBKZtxCtYU9ty9kidB85VPb0LiqerLrAE6Yx4+8tgaHmZdbaAM4qgQbwcP3piACcPneLHiiLQhPwoEVbO5ESw1y6Vgc/TkmzCVOe/OvgV3Jzd3Fsusrg54/lMH9Dp3ar7os8j3nijCStI8ArpFB8kvX8YL8S9X6n5zOLKEr4/1criy64PO5nuRyoa62B9ruS9R2CFqnccfT/MzGFvQvlwhdH+rzBOr+U/lLd8bGr4PrAX1+3WI84vLH/adUuqmTZUTnqfFtoTfcap62Frvsj3+B0vQkSMkQeRJAhDhNFPWwpML3IafSI4EGcx8oYRK67Ev3D5XyknYmwxc1V5XbhRxzWQmCRw9RThmOgaYgUGgn5eS/04Vc6E36JzXhRGHimBUy5feqcnfIDpZTpzLMGN4YaDzLOKU2aAM07lxemaGCkzmQqH7xWPojNum9A5nB316jABRysNQp0AEoIk0Eplk31ErEkROa4sNKgH0rG7fTFsvaw5agZC5Iu6qFF9btFl656LVAMy0D5b+D+A/70XByY2FRAFEOa4Za6aU6RCTsn6XYf+vWLY3KK5hRmXim0XMgiFKC1MqJgtefGyiI7CGCBUggt5azSnRDgRnWwqcTnQtah X-MS-Exchange-AntiSpam-MessageData-1: uasmPHt6d9SBOw== X-Exchange-RoutingPolicyChecked: jNofC72/ntfWC4OQB6EWA8uyb8IfNQ6W2MmvFNt4k/IcnZ9Zmjg/+CcKY7HEHalO2d1yFuHJOnv/6gxqdNF8q6JP/GJjw9FkrWxYBxHshkG5m0PApA7BBpK+WB3IRL+5PM0WBbgYc6oQdCyHKLMWd0aMlX06u3QpbmNgqkfJuC/mJoqkbkFLeKywcTXROGTRUp2u9GLdDg5Z1hYYBnz0r4WSrugzDePRqJJk7/rBwvL5UhsCVJkzMmVzd+XlwwL4tfB37VhcLnLViOxUAFEtPqB/YZyUf+R/JcyAOpkpEcT0sBETWqO8uWfXcVZo0A0XndnenTbt5U0wP5RD06XNEA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jkmUhSLX8v5BAbHq3hFBf/8U6iQtYLpNnxPMjXMygn5EYVvVlZrhJ7ePlMRNGPEQ+zww2T4j4sHxFBFy1qFQPRjZSBtXazD8rLDjMEOrEYEUkSY2mrlw3OQtF9n/Y0xzmfASAulPrK1YMZZLXWnS6d2S33DbhL3wp3ExLLOb1M8JsIubmTapFq8bywSc9vcY8Ur091oOAswAtu23y1g5HdYjkNye5dodfDo3Nd0sIG7HWAFGLOPQzeLnxjvYT+YCuziK+dhGwH1TkWuH4fO+NKVogbVipWxM4iTbEcliyYhyrVSJfaeQqou8KgCpwoklvZUw98pRM6/ZH2kJCVOh0ZOfVh/3hibTZoBzA4wd5KyIrsCqrxOnyspnvAmtfS+O0dUYsWcxrN8S56I7hQuEKK8YQZKTwxlLeGvTdfJdwKtrQidSeMNRXm49lqfePpVm8GzTZDug3E22xza8iCQEHCmfS3sDIHlbIHqEpKKg+/BSijsLtby2MKq/MKDm77ntACI+DZA5pe8MGPIdYrMUvLUoLxZKC3BdL2A9/zwEF4Bbc+lKUJ9B5r1yWp2yfZBEjTj2nwSY/3zV92mRYgYTXp9Y5z7HY/J0+dn2mR0OBDpNwzrRbMiMqRd8aibEqKYi X-OriginatorOrg: witekio.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5b0ead1c-6779-440f-bfc3-08deb647db58 X-MS-Exchange-CrossTenant-AuthSource: MRWP192MB3504.EURP192.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2026 08:14:47.2766 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 317e086a-301a-49af-9ea4-48a1c458b903 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CdCk+/bu9E1qaNIGQQ1XXMkU2pT8ozmnKLpCipxtFOLTFKzCgivLXXUo4s3rAmPxPD37iglSle23lsa10nn3hg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3P192MB2129 X-cloud-security-sender: hsimeliere@witekio.com X-cloud-security-recipient: openembedded-core@lists.openembedded.org X-cloud-security-crypt: load encryption module X-cloud-security-Mailarchiv: E-Mail archived for: hsimeliere.opensource@witekio.com X-cloud-security-Mailarchivtype: outbound X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mx-gate15-hz1 with 4gL48X53fvz3B3dS X-cloud-security-connect: mail-northeuropeazon11022116.outbound.protection.outlook.com[52.101.66.116], TLS=1, IP=52.101.66.116 X-cloud-security-Digest: c509c68203ca4bc336a649e11573d0c2 X-cloud-security: scantime:2.783 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 May 2026 08:15:11 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/237396 From: "Hugo SIMELIERE (Schneider Electric)" Pick patches from [1] and [2] as mentioned in Debian report in [3]. [1] https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f [2] https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683 [3] https://security-tracker.debian.org/tracker/CVE-2026-5260 Signed-off-by: Hugo SIMELIERE (Schneider Electric) Reviewed-by: Bruno VERNAY --- .../gnutls/gnutls/CVE-2026-5260-1.patch | 78 +++++++++++++++++++ .../gnutls/gnutls/CVE-2026-5260-2.patch | 40 ++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + 3 files changed, 120 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch new file mode 100644 index 0000000000..060440e8b7 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-1.patch @@ -0,0 +1,78 @@ +From a39a21031f9e56d31747b060f83fb49d1a77f0c5 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 30 Mar 2026 17:31:07 +0200 +Subject: [PATCH 1/2] lib/auth/rsa: check that ciphertext matches the modulus + size + +A client sending extremely short premaster secret as part of an +RSA key exchange could've theoretically triggered a short heap overread +to nowhere when the RSA key was backed with a PKCS#11 token. +With this fix, the internal decryption function will not be called +with an mismatching plaintext length specified, avoiding the overread. + +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1814 +Fixes: CVE-2026-5260 +Fixes: GNUTLS-SA-2026-04-29-10 +CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H + +CVE: CVE-2026-5260 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/77228f2d1ac207d2f894e5a168fbb47e5378e42f] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit 77228f2d1ac207d2f894e5a168fbb47e5378e42f) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/auth/rsa.c | 5 +++++ + lib/auth/rsa_psk.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index b5ecc092f..24c1649be 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -158,6 +158,7 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data, + int ret, dsize; + ssize_t data_size = _data_size; + volatile uint8_t ver_maj, ver_min; ++ unsigned int key_bits; + + #ifdef ENABLE_SSL3 + if (get_num_version(session) == GNUTLS_SSL3) { +@@ -180,6 +181,10 @@ static int proc_rsa_client_kx(gnutls_session_t session, uint8_t *data, + } + ciphertext.size = dsize; + } ++ gnutls_privkey_get_pk_algorithm(session->internals.selected_key, ++ &key_bits); ++ if (ciphertext.size != (key_bits + 7) / 8) ++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +index a14de467a..a1da1b320 100644 +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -257,6 +257,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + volatile uint8_t ver_maj, ver_min; ++ unsigned int rsa_key_bits; + + cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred( + session, GNUTLS_CRD_PSK); +@@ -313,6 +314,10 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, + return GNUTLS_E_UNEXPECTED_PACKET_LENGTH; + } + ciphertext.size = dsize; ++ gnutls_privkey_get_pk_algorithm(session->internals.selected_key, ++ &rsa_key_bits); ++ if (ciphertext.size != (rsa_key_bits + 7) / 8) ++ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); + + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch new file mode 100644 index 0000000000..32181e45da --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-5260-2.patch @@ -0,0 +1,40 @@ +From 9b58b5237713d2189192aa8591b337787ee2edff Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Mon, 30 Mar 2026 17:46:40 +0200 +Subject: [PATCH 2/2] lib/pkcs11_privkey: guard against overreading on short + ciphertexts + +This is an alternative fix for the callee side. + +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1814 +Fixes: CVE-2026-5260 +Fixes: GNUTLS-SA-2026-04-29-10 +CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H + +CVE: CVE-2026-5260 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cf6bdc5e4df49e5583d3fb4d2296779785f10683] + +Signed-off-by: Alexander Sosedkin +(cherry picked from commit cf6bdc5e4df49e5583d3fb4d2296779785f10683) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) +--- + lib/pkcs11_privkey.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c +index 5093a6d56..369b034a6 100644 +--- a/lib/pkcs11_privkey.c ++++ b/lib/pkcs11_privkey.c +@@ -826,7 +826,7 @@ int _gnutls_pkcs11_privkey_decrypt_data2(gnutls_pkcs11_privkey_t key, + if (ret != 0) + return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR); + +- buffer = gnutls_malloc(siglen); ++ buffer = gnutls_malloc(MAX((size_t)siglen, plaintext_size)); + if (!buffer) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 0b3abb827c..a4a6a5fe21 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -51,6 +51,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-42015.patch \ file://CVE-2026-42014.patch \ file://CVE-2026-42010.patch \ + file://CVE-2026-5260-1.patch \ + file://CVE-2026-5260-2.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"