Hi Yoann, Sorry for the delayed response — I was on holiday. Thank you for your detailed notes. Please find my comments below:
On Wed, Feb 18, 2026 at 8:50 PM Yoann Congal <[email protected]> wrote: > On Tue Feb 17, 2026 at 1:58 PM CET, Vijay Anusuri via > lists.openembedded.org wrote: > > Release information: [1] > > Includes fix for CVE-2025-9820. > > > > Refresh patches. > > > > Backport commit to be able to build with gcc<11 (e.g. Debian 11). > > > > [1] > https://lists.gnupg.org/pipermail/gnutls-help/2025-November/004906.html > > > > Signed-off-by: Peter Marko <[email protected]> > > Signed-off-by: Mathieu Dubois-Briand <[email protected]> > > Signed-off-by: Richard Purdie <[email protected]> > > > > (From OE-Core rev: 0224dd73d5e462e3ab0958a63d631aa32e330d6c) > > > > Dropped CVE-2025-9820.patch > > > > Signed-off-by: Vijay Anusuri <[email protected]> > > --- > > ...ile-should-be-excuted-in-target-envi.patch | 2 +- > > ...dit-crau-fix-compilation-with-gcc-11.patch | 66 +++++ > > .../gnutls/gnutls/Add-ptest-support.patch | 6 +- > > .../gnutls/gnutls/CVE-2025-9820.patch | 233 ------------------ > > .../{gnutls_3.8.10.bb => gnutls_3.8.11.bb} | 4 +- > > 5 files changed, 72 insertions(+), 239 deletions(-) > > create mode 100644 > meta/recipes-support/gnutls/gnutls/0001-audit-crau-fix-compilation-with-gcc-11.patch > > delete mode 100644 > meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch > > rename meta/recipes-support/gnutls/{gnutls_3.8.10.bb => > gnutls_3.8.11.bb} (96%) > > Hello, > > Sorry, but it look like this release mixes enhancement with bugs and CVE > fixes: > https://lists.gnupg.org/pipermail/gnutls-help/2025-November/004906.html: > > >> As this is the latest branch, I sent the upgrade patch. It looks like > there are some enhancements included apart from the security fixes. I will > send a CVE-only patch separately. > > > ** libgnutls: MAC algorithms for PSK binders is now configurable > > [...] > > > > ** libgnutls: Expose a new function [...] > > [...] > > ** libgnutls: Expose a new function [...] > > [...] > > ** libgnutls: PKCS#11 cryptographic provider configuration takes a token > URI > > instead of a module path. [...] > > [...] > > ** API and ABI modifications: > > gnutls_psk_allocate_client_credentials2: New function > > [...] > > gnutls_audit_current_context: New function > > I don't think it is suitable for stable inclusion. Same for patch 4/4 of > this series. > > >> Understood — I agree that 1/4 and 4/4 may not be suitable for stable inclusion as they introduce new features or enhancements. I could take patches 2/4 and 3/4, but do they make sense without 1/4? > > >> I believe 2/4 and 3/4 can be taken independently as 3.8.x supports fips > mode. > > Regards, > > > diff --git > a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch > b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch > > index 2dccea7859..0847dde8a9 100644 > > --- > a/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch > > +++ > b/meta/recipes-support/gnutls/gnutls/0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch > > @@ -14,7 +14,7 @@ diff --git a/lib/Makefile.am b/lib/Makefile.am > > index a50d311..193ea19 100644 > > --- a/lib/Makefile.am > > +++ b/lib/Makefile.am > > -@@ -272,8 +272,7 @@ hmac_file = .libs/.$(gnutls_so).hmac > > +@@ -275,8 +275,7 @@ hmac_file = .libs/.$(gnutls_so).hmac > > > > all-local: $(hmac_file) > > > > diff --git > a/meta/recipes-support/gnutls/gnutls/0001-audit-crau-fix-compilation-with-gcc-11.patch > b/meta/recipes-support/gnutls/gnutls/0001-audit-crau-fix-compilation-with-gcc-11.patch > > new file mode 100644 > > index 0000000000..60960dad6f > > --- /dev/null > > +++ > b/meta/recipes-support/gnutls/gnutls/0001-audit-crau-fix-compilation-with-gcc-11.patch > > @@ -0,0 +1,66 @@ > > +From 2bbae7644a2292410b53f98fd0035c40bf8750a5 Mon Sep 17 00:00:00 2001 > > +From: Julien Olivain <[email protected]> > > +Date: Sun, 23 Nov 2025 18:17:19 +0100 > > +Subject: [PATCH] audit: crau: fix compilation with gcc < 11 > > + > > +If the CRAU_MAYBE_UNUSED macro is unset, the crau.h file tries to > > +automatically detect an appropriate value for it. > > + > > +This autodetection is using the cpp special operator > > +`__has_c_attribute` [1], introduced in gcc 11 [2]. > > + > > +When compiling with a gcc older than version 11, the compilation fails > > +with the error: > > + > > + In file included from audit.h:22, > > + from audit.c:26: > > + crau/crau.h:255:23: error: missing binary operator before token "(" > > + __has_c_attribute (__maybe_unused__) > > + ^ > > + > > +This has been observed, for example, in Rocky Linux 8.10, which > > +contains a gcc v8.5.0. > > + > > +The issue happens because the test for the `__has_c_attribute` > > +availability and the test for the `__maybe_unused__` attribute > > +are in the same directive. Those tests should be separated in > > +two different directives, following the same logic described in > > +the `__has_builtin` documentation [3]. > > + > > +This issue was found in Buildroot, after updating gnutls to > > +version 3.8.11 in [4]. > > + > > +This commit fixes the issue by splitting the test in two. > > + > > +[1] > https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005fc_005fattribute.html > > +[2] https://gcc.gnu.org/gcc-11/changes.html#c > > +[3] https://gcc.gnu.org/onlinedocs/cpp/_005f_005fhas_005fbuiltin.html > > +[4] > https://gitlab.com/buildroot.org/buildroot/-/commit/81dbfe1c2ae848b4eb1f896198d13455df50e548 > > + > > +Reported-by: Neal Frager <[email protected]> > > +Signed-off-by: Julien Olivain <[email protected]> > > + > > +Upstream-Status: Backport [ > https://github.com/gnutls/gnutls/commit/2bbae7644a2292410b53f98fd0035c40bf8750a5 > ] > > +Signed-off-by: Peter Marko <[email protected]> > > +--- > > + lib/crau/crau.h | 7 ++++--- > > + 1 file changed, 4 insertions(+), 3 deletions(-) > > + > > +diff --git a/lib/crau/crau.h b/lib/crau/crau.h > > +index 0d4f9f13e..53d33555b 100644 > > +--- a/lib/crau/crau.h > > ++++ b/lib/crau/crau.h > > +@@ -251,9 +251,10 @@ void crau_data(struct crau_context_stack_st > *stack, ...) > > + # else > > + > > + # ifndef CRAU_MAYBE_UNUSED > > +-# if defined(__has_c_attribute) && \ > > +- __has_c_attribute (__maybe_unused__) > > +-# define CRAU_MAYBE_UNUSED [[__maybe_unused__]] > > ++# if defined(__has_c_attribute) > > ++# if __has_c_attribute (__maybe_unused__) > > ++# define CRAU_MAYBE_UNUSED [[__maybe_unused__]] > > ++# endif > > + # elif defined(__GNUC__) > > + # define CRAU_MAYBE_UNUSED __attribute__((__unused__)) > > + # endif > > diff --git a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch > b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch > > index 339d3d2f9e..d8b5035b38 100644 > > --- a/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch > > +++ b/meta/recipes-support/gnutls/gnutls/Add-ptest-support.patch > > @@ -15,7 +15,7 @@ diff --git a/Makefile.am b/Makefile.am > > index 843193f..816b09f 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > -@@ -194,6 +194,9 @@ dist-hook: > > +@@ -197,6 +197,9 @@ dist-hook: > > distcheck-hook: > > @test -d "$(top_srcdir)/po/.reference" || { echo "PO files are not > downloaded; run ./bootstrap without --skip-po"; exit 1; } > > > > @@ -29,7 +29,7 @@ diff --git a/configure.ac b/configure.ac > > index 1744813..efb9e34 100644 > > --- a/configure.ac > > +++ b/configure.ac > > -@@ -1491,6 +1491,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS) > > +@@ -1447,6 +1447,8 @@ AC_SUBST(LIBGNUTLS_CFLAGS) > > > > AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes") > > > > @@ -42,7 +42,7 @@ diff --git a/tests/Makefile.am b/tests/Makefile.am > > index 189d068..8430b05 100644 > > --- a/tests/Makefile.am > > +++ b/tests/Makefile.am > > -@@ -678,6 +678,12 @@ SH_LOG_COMPILER = $(SHELL) > > +@@ -719,6 +719,12 @@ SH_LOG_COMPILER = $(SHELL) > > AM_VALGRINDFLAGS = --suppressions=$(srcdir)/suppressions.valgrind > > LOG_COMPILER = $(LOG_VALGRIND) > > > > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch > > deleted file mode 100644 > > index e4f97500ee..0000000000 > > --- a/meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch > > +++ /dev/null > > @@ -1,233 +0,0 @@ > > -From 19ad448d0cc3dd6857b553a47728eead3ea8f445 Mon Sep 17 00:00:00 2001 > > -From: Daiki Ueno <[email protected]> > > -Date: Tue, 18 Nov 2025 13:17:55 +0900 > > -Subject: [PATCH] pkcs11: avoid stack overwrite when initializing a token > > - > > -If gnutls_pkcs11_token_init is called with label longer than 32 > > -characters, the internal storage used to blank-fill it would > > -overflow. This adds a guard to prevent that. > > - > > -CVE: CVE-2025-9820 > > -Upstream-Status: Backport [ > https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5 > ] > > -Signed-off-by: Daiki Ueno <[email protected]> > > -Signed-off-by: Ankur Tyagi <[email protected]> > > ---- > > - lib/pkcs11_write.c | 5 +- > > - tests/Makefile.am | 2 +- > > - tests/pkcs11/long-label.c | 164 ++++++++++++++++++++++++++++++++++++++ > > - 3 files changed, 168 insertions(+), 3 deletions(-) > > - create mode 100644 tests/pkcs11/long-label.c > > - > > -diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c > > -index f5e9058e0..64b85a2df 100644 > > ---- a/lib/pkcs11_write.c > > -+++ b/lib/pkcs11_write.c > > -@@ -28,6 +28,7 @@ > > - #include "pkcs11x.h" > > - #include "x509/common.h" > > - #include "pk.h" > > -+#include "minmax.h" > > - > > - static const ck_bool_t tval = 1; > > - static const ck_bool_t fval = 0; > > -@@ -1172,7 +1173,7 @@ int gnutls_pkcs11_delete_url(const char > *object_url, unsigned int flags) > > - * gnutls_pkcs11_token_init: > > - * @token_url: A PKCS #11 URL specifying a token > > - * @so_pin: Security Officer's PIN > > -- * @label: A name to be used for the token > > -+ * @label: A name to be used for the token, at most 32 characters > > - * > > - * This function will initialize (format) a token. If the token is > > - * at a factory defaults state the security officer's PIN given will be > > -@@ -1210,7 +1211,7 @@ int gnutls_pkcs11_token_init(const char > *token_url, const char *so_pin, > > - /* so it seems memset has other uses than zeroing! */ > > - memset(flabel, ' ', sizeof(flabel)); > > - if (label != NULL) > > -- memcpy(flabel, label, strlen(label)); > > -+ memcpy(flabel, label, MIN(sizeof(flabel), strlen(label))); > > - > > - rv = pkcs11_init_token(module, slot, (uint8_t *)so_pin, > strlen(so_pin), > > - (uint8_t *)flabel); > > -diff --git a/tests/Makefile.am b/tests/Makefile.am > > -index c8de4494b..f64f7b1c0 100644 > > ---- a/tests/Makefile.am > > -+++ b/tests/Makefile.am > > -@@ -503,7 +503,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \ > > - if ENABLE_PKCS11 > > - if !WINDOWS > > - ctests += tls13/post-handshake-with-cert-pkcs11 > pkcs11/tls-neg-pkcs11-no-key \ > > -- global-init-override pkcs11/distrust-after > > -+ global-init-override pkcs11/distrust-after pkcs11/long-label > > - tls13_post_handshake_with_cert_pkcs11_DEPENDENCIES = libpkcs11mock2.la > libutils.la > > - tls13_post_handshake_with_cert_pkcs11_LDADD = $(LDADD) $(LIBDL) > > - pkcs11_tls_neg_pkcs11_no_key_DEPENDENCIES = libpkcs11mock2.la > libutils.la > > -diff --git a/tests/pkcs11/long-label.c b/tests/pkcs11/long-label.c > > -new file mode 100644 > > -index 000000000..a70bc9728 > > ---- /dev/null > > -+++ b/tests/pkcs11/long-label.c > > -@@ -0,0 +1,164 @@ > > -+/* > > -+ * Copyright (C) 2025 Red Hat, Inc. > > -+ * > > -+ * Author: Daiki Ueno > > -+ * > > -+ * This file is part of GnuTLS. > > -+ * > > -+ * GnuTLS is free software; you can redistribute it and/or modify it > > -+ * under the terms of the GNU General Public License as published by > > -+ * the Free Software Foundation; either version 3 of the License, or > > -+ * (at your option) any later version. > > -+ * > > -+ * GnuTLS is distributed in the hope that it will be useful, but > > -+ * WITHOUT ANY WARRANTY; without even the implied warranty of > > -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > -+ * General Public License for more details. > > -+ * > > -+ * You should have received a copy of the GNU Lesser General Public > License > > -+ * along with this program. If not, see < > https://www.gnu.org/licenses/> > > -+ */ > > -+ > > -+#ifdef HAVE_CONFIG_H > > -+#include "config.h" > > -+#endif > > -+ > > -+#include <stdbool.h> > > -+#include <stdio.h> > > -+#include <stdlib.h> > > -+ > > -+#if defined(_WIN32) > > -+ > > -+int main(void) > > -+{ > > -+ exit(77); > > -+} > > -+ > > -+#else > > -+ > > -+#include <string.h> > > -+#include <unistd.h> > > -+#include <gnutls/gnutls.h> > > -+ > > -+#include "cert-common.h" > > -+#include "pkcs11/softhsm.h" > > -+#include "utils.h" > > -+ > > -+/* This program tests that a token can be initialized with > > -+ * a label longer than 32 characters. > > -+ */ > > -+ > > -+static void tls_log_func(int level, const char *str) > > -+{ > > -+ fprintf(stderr, "server|<%d>| %s", level, str); > > -+} > > -+ > > -+#define PIN "1234" > > -+ > > -+#define CONFIG_NAME "softhsm-long-label" > > -+#define CONFIG CONFIG_NAME ".config" > > -+ > > -+static int pin_func(void *userdata, int attempt, const char *url, > > -+ const char *label, unsigned flags, char *pin, > > -+ size_t pin_max) > > -+{ > > -+ if (attempt == 0) { > > -+ strcpy(pin, PIN); > > -+ return 0; > > -+ } > > -+ return -1; > > -+} > > -+ > > -+static void test(const char *provider) > > -+{ > > -+ int ret; > > -+ size_t i; > > -+ > > -+ gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); > > -+ > > -+ success("test with %s\n", provider); > > -+ > > -+ if (debug) { > > -+ gnutls_global_set_log_function(tls_log_func); > > -+ gnutls_global_set_log_level(4711); > > -+ } > > -+ > > -+ /* point to SoftHSM token that libpkcs11mock4.so internally uses */ > > -+ setenv(SOFTHSM_ENV, CONFIG, 1); > > -+ > > -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); > > -+ > > -+ ret = gnutls_pkcs11_add_provider(provider, "trusted"); > > -+ if (ret != 0) { > > -+ fail("gnutls_pkcs11_add_provider: %s\n", > gnutls_strerror(ret)); > > -+ } > > -+ > > -+ /* initialize softhsm token */ > > -+ ret = gnutls_pkcs11_token_init( > > -+ SOFTHSM_URL, PIN, > > -+ "this is a very long label whose length exceeds 32"); > > -+ if (ret < 0) { > > -+ fail("gnutls_pkcs11_token_init: %s\n", > gnutls_strerror(ret)); > > -+ } > > -+ > > -+ for (i = 0;; i++) { > > -+ char *url = NULL; > > -+ > > -+ ret = gnutls_pkcs11_token_get_url(i, 0, &url); > > -+ if (ret < 0) > > -+ break; > > -+ if (strstr(url, > > -+ > "token=this%20is%20a%20very%20long%20label%20whose")) > > -+ break; > > -+ } > > -+ if (ret < 0) > > -+ fail("gnutls_pkcs11_token_get_url: %s\n", > gnutls_strerror(ret)); > > -+ > > -+ gnutls_pkcs11_deinit(); > > -+} > > -+ > > -+void doit(void) > > -+{ > > -+ const char *bin; > > -+ const char *lib; > > -+ char buf[128]; > > -+ > > -+ if (gnutls_fips140_mode_enabled()) > > -+ exit(77); > > -+ > > -+ /* this must be called once in the program */ > > -+ global_init(); > > -+ > > -+ /* we call gnutls_pkcs11_init manually */ > > -+ gnutls_pkcs11_deinit(); > > -+ > > -+ /* check if softhsm module is loadable */ > > -+ lib = softhsm_lib(); > > -+ > > -+ /* initialize SoftHSM token that libpkcs11mock4.so internally uses > */ > > -+ bin = softhsm_bin(); > > -+ > > -+ set_softhsm_conf(CONFIG); > > -+ snprintf(buf, sizeof(buf), > > -+ "%s --init-token --slot 0 --label test --so-pin " PIN > > -+ " --pin " PIN, > > -+ bin); > > -+ system(buf); > > -+ > > -+ test(lib); > > -+ > > -+ lib = getenv("P11MOCKLIB4"); > > -+ if (lib == NULL) { > > -+ fail("P11MOCKLIB4 is not set\n"); > > -+ } > > -+ > > -+ set_softhsm_conf(CONFIG); > > -+ snprintf(buf, sizeof(buf), > > -+ "%s --init-token --slot 0 --label test --so-pin " PIN > > -+ " --pin " PIN, > > -+ bin); > > -+ system(buf); > > -+ > > -+ test(lib); > > -+} > > -+#endif /* _WIN32 */ > > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.10.bb > b/meta/recipes-support/gnutls/gnutls_3.8.11.bb > > similarity index 96% > > rename from meta/recipes-support/gnutls/gnutls_3.8.10.bb > > rename to meta/recipes-support/gnutls/gnutls_3.8.11.bb > > index b07c166c0e..faeb1a4ede 100644 > > --- a/meta/recipes-support/gnutls/gnutls_3.8.10.bb > > +++ b/meta/recipes-support/gnutls/gnutls_3.8.11.bb > > @@ -21,12 +21,12 @@ SHRT_VER = > "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" > > SRC_URI = " > https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ > > file://arm_eabi.patch \ > > > file://0001-Creating-.hmac-file-should-be-excuted-in-target-envi.patch \ > > + file://0001-audit-crau-fix-compilation-with-gcc-11.patch \ > > file://run-ptest \ > > file://Add-ptest-support.patch \ > > - file://CVE-2025-9820.patch \ > > " > > > > -SRC_URI[sha256sum] = > "db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7" > > +SRC_URI[sha256sum] = > "91bd23c4a86ebc6152e81303d20cf6ceaeb97bc8f84266d0faec6e29f17baa20" > > > > inherit autotools texinfo pkgconfig gettext lib_package gtk-doc ptest > > > > > -- > Yoann Congal > Smile ECS > > Thanks & Regrds, > Vijay > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231650): https://lists.openembedded.org/g/openembedded-core/message/231650 Mute This Topic: https://lists.openembedded.org/mt/117855611/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
