On Thu Jun 4, 2026 at 10:57 AM CEST, Yoann Congal wrote: > On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via > lists.openembedded.org wrote: >> From: "Hugo SIMELIERE (Schneider Electric)" >> <[email protected]> >> >> Pick patch from [1] as mentioned in Debian report in [2]. >> Pick pre-patch [3] to minimize conflicts. >> >> [1] >> https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78
Hello (again), This patch is in the 3.8.13 tag but not in the 3.8.12 tag used on wrynose. There was a 3.8.13 wrynose upgrade sent but I can't accept it. So, this patch (as well as at least 2/7, I have not checked the others) must be sent to wrynose before I can accept them on scarthgap. Can you do that and ping back here when it's done? Thanks! >> [2] https://security-tracker.debian.org/tracker/CVE-2026-33846 >> [3] >> https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 >> >> Signed-off-by: Hugo SIMELIERE (Schneider Electric) >> <[email protected]> >> Reviewed-by: Bruno VERNAY <[email protected]> >> --- >> .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++ >> .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++ >> meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + >> 3 files changed, 166 insertions(+) >> create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch >> create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch >> >> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch >> new file mode 100644 >> index 0000000000..71266cb338 >> --- /dev/null >> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch >> @@ -0,0 +1,97 @@ >> +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001 >> +From: Alexander Sosedkin <[email protected]> >> +Date: Fri, 17 Apr 2026 17:49:31 +0200 >> +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf > > As far as I can tell this patch is only cosmetic and I'd rather not > merge it unless you have a compeling reason. > > To apply CVE-2026-33846.patch, it looks like you will need to change it > to use "session->internals.handshake_recv_buffer" instead of "recv_buf". > > Regards, > >> + >> +I had vague concerns about thread-safety of this, >> +but then this pattern already exists within the file. >> + >> +CVE: CVE-2026-33846 >> +Upstream-Status: Backport >> [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0] >> + >> +Signed-off-by: Alexander Sosedkin <[email protected]> >> +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0) >> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) >> <[email protected]> >> +--- >> + lib/buffers.c | 52 +++++++++++++++++---------------------------------- >> + 1 file changed, 17 insertions(+), 35 deletions(-) >> + >> +diff --git a/lib/buffers.c b/lib/buffers.c >> +index 672380b05..d54c77022 100644 >> +--- a/lib/buffers.c >> ++++ b/lib/buffers.c >> +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t >> session, >> + int exists = 0, i, pos = 0; >> + int ret; >> + >> ++ handshake_buffer_st *recv_buf = >> ++ session->internals.handshake_recv_buffer; >> ++ >> + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) { >> +- if (session->internals.handshake_recv_buffer[i].htype == >> +- hsk->htype) { >> ++ if (recv_buf[i].htype == hsk->htype) { >> + exists = 1; >> + pos = i; >> + break; >> +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t >> session, >> + _gnutls_write_uint24(0, &hsk->header[6]); >> + _gnutls_write_uint24(hsk->length, &hsk->header[9]); >> + >> +- _gnutls_handshake_buffer_move( >> +- &session->internals.handshake_recv_buffer[pos], hsk); >> ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); >> + >> + } else { >> +- if (hsk->start_offset < >> +- session->internals.handshake_recv_buffer[pos] >> +- .start_offset && >> +- hsk->end_offset + 1 >= >> +- session->internals.handshake_recv_buffer[pos] >> +- .start_offset) { >> +- memcpy(&session->internals.handshake_recv_buffer[pos] >> +- .data.data[hsk->start_offset], >> ++ if (hsk->start_offset < recv_buf[pos].start_offset && >> ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) { >> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], >> + hsk->data.data, hsk->data.length); >> +- session->internals.handshake_recv_buffer[pos] >> +- .start_offset = hsk->start_offset; >> +- session->internals.handshake_recv_buffer[pos] >> +- .end_offset = MIN( >> +- hsk->end_offset, >> +- session->internals.handshake_recv_buffer[pos] >> +- .end_offset); >> +- } else if (hsk->end_offset > >> +- session->internals.handshake_recv_buffer[pos] >> +- .end_offset && >> +- hsk->start_offset <= >> +- session->internals.handshake_recv_buffer[pos] >> +- .end_offset + >> +- 1) { >> +- memcpy(&session->internals.handshake_recv_buffer[pos] >> +- .data.data[hsk->start_offset], >> ++ recv_buf[pos].start_offset = hsk->start_offset; >> ++ recv_buf[pos].end_offset = >> ++ MIN(hsk->end_offset, recv_buf[pos].end_offset); >> ++ } else if (hsk->end_offset > recv_buf[pos].end_offset && >> ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) { >> ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], >> + hsk->data.data, hsk->data.length); >> + >> +- session->internals.handshake_recv_buffer[pos] >> +- .end_offset = hsk->end_offset; >> +- session->internals.handshake_recv_buffer[pos] >> +- .start_offset = MIN( >> +- hsk->start_offset, >> +- session->internals.handshake_recv_buffer[pos] >> +- .start_offset); >> ++ recv_buf[pos].end_offset = hsk->end_offset; >> ++ recv_buf[pos].start_offset = MIN( >> ++ hsk->start_offset, recv_buf[pos].start_offset); >> + } >> + _gnutls_handshake_buffer_clear(hsk); >> + } >> +-- >> +2.43.0 >> + >> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch >> new file mode 100644 >> index 0000000000..e7d5cc6c2b >> --- /dev/null >> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch >> @@ -0,0 +1,67 @@ >> +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001 >> +From: Alexander Sosedkin <[email protected]> >> +Date: Fri, 17 Apr 2026 18:21:36 +0200 >> +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly >> + >> +Previously, gnutls didn't check that DTLS fragments claimed >> +a consistent message_length value. >> +Additionally, a crucial array size check was missing, >> +enabling an attacker to cause a heap overwrite. >> +The updated version rejects fragments with mismatching length >> +and adds a missing boundary check. >> + >> +Reported-by: Haruto Kimura (Stella) >> +Reported-by: Oscar Reparaz >> +Reported-by: Zou Dikai >> +Fixes: #1816 >> +Fixes: #1838 >> +Fixes: #1839 >> +Fixes: CVE-2026-33846 >> +Fixes: GNUTLS-SA-2026-04-29-1 >> +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H >> +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H >> + >> +CVE: CVE-2026-33846 >> +Upstream-Status: Backport >> [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78] >> + >> +Signed-off-by: Alexander Sosedkin <[email protected]> >> +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78) >> +Signed-off-by: Hugo SIMELIERE (Schneider Electric) >> <[email protected]> >> +--- >> + lib/buffers.c | 20 ++++++++++++++++++++ >> + 1 file changed, 20 insertions(+) >> + >> +diff --git a/lib/buffers.c b/lib/buffers.c >> +index d54c77022..5d4d16276 100644 >> +--- a/lib/buffers.c >> ++++ b/lib/buffers.c >> +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t >> session, >> + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); >> + >> + } else { >> ++ if (hsk->length != recv_buf[pos].length) { >> ++ /* inconsistent across fragments */ >> ++ _gnutls_handshake_buffer_clear(hsk); >> ++ return gnutls_assert_val( >> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); >> ++ } >> ++ /* start_offset + data.length <= hsk->length <= max_length */ >> ++ if (hsk->length < hsk->start_offset + hsk->data.length) { >> ++ /* impossible claims, overflow requested */ >> ++ _gnutls_handshake_buffer_clear(hsk); >> ++ return gnutls_assert_val( >> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); >> ++ } >> ++ if (hsk->length > recv_buf[pos].data.max_length) { >> ++ /* we don't have this much allocated, overflow guard */ >> ++ _gnutls_handshake_buffer_clear(hsk); >> ++ return gnutls_assert_val( >> ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); >> ++ } >> ++ >> + if (hsk->start_offset < recv_buf[pos].start_offset && >> + hsk->end_offset + 1 >= recv_buf[pos].start_offset) { >> + memcpy(&recv_buf[pos].data.data[hsk->start_offset], >> +-- >> +2.43.0 >> + >> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> index ccb6a2b4b2..e40a654a8e 100644 >> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> @@ -43,6 +43,8 @@ SRC_URI = >> "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar >> file://CVE-2025-14831-7.patch \ >> file://CVE-2025-14831-8.patch \ >> file://CVE-2025-14831-9.patch \ >> + file://CVE-2026-33846-pre.patch \ >> + file://CVE-2026-33846.patch \ >> " >> >> SRC_URI[sha256sum] = >> "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238136): https://lists.openembedded.org/g/openembedded-core/message/238136 Mute This Topic: https://lists.openembedded.org/mt/119404633/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
