Le jeu. 4 juin 2026 à 10:57, Yoann Congal <[email protected]> a écrit :
> On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via > lists.openembedded.org wrote: > > From: "Hugo SIMELIERE (Schneider Electric)" < > [email protected]> > > > > Pick patch from [1] as mentioned in Debian report in [2]. > > Pick pre-patch [3] to minimize conflicts. > > > > [1] > https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78 > > [2] https://security-tracker.debian.org/tracker/CVE-2026-33846 > > [3] > https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 > > > > Signed-off-by: Hugo SIMELIERE (Schneider Electric) < > [email protected]> > > Reviewed-by: Bruno VERNAY <[email protected]> > > --- > > .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++ > > .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++ > > meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + > > 3 files changed, 166 insertions(+) > > create mode 100644 > meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > > create mode 100644 > meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > > > > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > > new file mode 100644 > > index 0000000000..71266cb338 > > --- /dev/null > > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > > @@ -0,0 +1,97 @@ > > +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001 > > +From: Alexander Sosedkin <[email protected]> > > +Date: Fri, 17 Apr 2026 17:49:31 +0200 > > +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using > recv_buf > > As far as I can tell this patch is only cosmetic and I'd rather not > merge it unless you have a compeling reason. > > To apply CVE-2026-33846.patch, it looks like you will need to change it > to use "session->internals.handshake_recv_buffer" instead of "recv_buf". > Hello, Actually, scratch that. I've discussed it with Paul. In this case, the review will be easier with the cosmetic "-pre" patches. So, don't change that. Sorry for the noise. Regards, > > Regards, > > > + > > +I had vague concerns about thread-safety of this, > > +but then this pattern already exists within the file. > > + > > +CVE: CVE-2026-33846 > > +Upstream-Status: Backport [ > https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 > ] > > + > > +Signed-off-by: Alexander Sosedkin <[email protected]> > > +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0) > > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) < > [email protected]> > > +--- > > + lib/buffers.c | 52 +++++++++++++++++---------------------------------- > > + 1 file changed, 17 insertions(+), 35 deletions(-) > > + > > +diff --git a/lib/buffers.c b/lib/buffers.c > > +index 672380b05..d54c77022 100644 > > +--- a/lib/buffers.c > > ++++ b/lib/buffers.c > > +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t > session, > > + int exists = 0, i, pos = 0; > > + int ret; > > + > > ++ handshake_buffer_st *recv_buf = > > ++ session->internals.handshake_recv_buffer; > > ++ > > + for (i = 0; i < session->internals.handshake_recv_buffer_size; > i++) { > > +- if (session->internals.handshake_recv_buffer[i].htype == > > +- hsk->htype) { > > ++ if (recv_buf[i].htype == hsk->htype) { > > + exists = 1; > > + pos = i; > > + break; > > +@@ -1005,44 +1007,24 @@ static int > merge_handshake_packet(gnutls_session_t session, > > + _gnutls_write_uint24(0, &hsk->header[6]); > > + _gnutls_write_uint24(hsk->length, &hsk->header[9]); > > + > > +- _gnutls_handshake_buffer_move( > > +- &session->internals.handshake_recv_buffer[pos], > hsk); > > ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); > > + > > + } else { > > +- if (hsk->start_offset < > > +- session->internals.handshake_recv_buffer[pos] > > +- .start_offset && > > +- hsk->end_offset + 1 >= > > +- session->internals.handshake_recv_buffer[pos] > > +- .start_offset) { > > +- > memcpy(&session->internals.handshake_recv_buffer[pos] > > +- .data.data[hsk->start_offset], > > ++ if (hsk->start_offset < recv_buf[pos].start_offset && > > ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) { > > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], > > + hsk->data.data, hsk->data.length); > > +- session->internals.handshake_recv_buffer[pos] > > +- .start_offset = hsk->start_offset; > > +- session->internals.handshake_recv_buffer[pos] > > +- .end_offset = MIN( > > +- hsk->end_offset, > > +- > session->internals.handshake_recv_buffer[pos] > > +- .end_offset); > > +- } else if (hsk->end_offset > > > +- > session->internals.handshake_recv_buffer[pos] > > +- .end_offset && > > +- hsk->start_offset <= > > +- > session->internals.handshake_recv_buffer[pos] > > +- .end_offset + > > +- 1) { > > +- > memcpy(&session->internals.handshake_recv_buffer[pos] > > +- .data.data[hsk->start_offset], > > ++ recv_buf[pos].start_offset = hsk->start_offset; > > ++ recv_buf[pos].end_offset = > > ++ MIN(hsk->end_offset, > recv_buf[pos].end_offset); > > ++ } else if (hsk->end_offset > recv_buf[pos].end_offset && > > ++ hsk->start_offset <= recv_buf[pos].end_offset + > 1) { > > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], > > + hsk->data.data, hsk->data.length); > > + > > +- session->internals.handshake_recv_buffer[pos] > > +- .end_offset = hsk->end_offset; > > +- session->internals.handshake_recv_buffer[pos] > > +- .start_offset = MIN( > > +- hsk->start_offset, > > +- > session->internals.handshake_recv_buffer[pos] > > +- .start_offset); > > ++ recv_buf[pos].end_offset = hsk->end_offset; > > ++ recv_buf[pos].start_offset = MIN( > > ++ hsk->start_offset, > recv_buf[pos].start_offset); > > + } > > + _gnutls_handshake_buffer_clear(hsk); > > + } > > +-- > > +2.43.0 > > + > > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > > new file mode 100644 > > index 0000000000..e7d5cc6c2b > > --- /dev/null > > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > > @@ -0,0 +1,67 @@ > > +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001 > > +From: Alexander Sosedkin <[email protected]> > > +Date: Fri, 17 Apr 2026 18:21:36 +0200 > > +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly > > + > > +Previously, gnutls didn't check that DTLS fragments claimed > > +a consistent message_length value. > > +Additionally, a crucial array size check was missing, > > +enabling an attacker to cause a heap overwrite. > > +The updated version rejects fragments with mismatching length > > +and adds a missing boundary check. > > + > > +Reported-by: Haruto Kimura (Stella) > > +Reported-by: Oscar Reparaz > > +Reported-by: Zou Dikai > > +Fixes: #1816 > > +Fixes: #1838 > > +Fixes: #1839 > > +Fixes: CVE-2026-33846 > > +Fixes: GNUTLS-SA-2026-04-29-1 > > +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H > > +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > > + > > +CVE: CVE-2026-33846 > > +Upstream-Status: Backport [ > https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78 > ] > > + > > +Signed-off-by: Alexander Sosedkin <[email protected]> > > +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78) > > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) < > [email protected]> > > +--- > > + lib/buffers.c | 20 ++++++++++++++++++++ > > + 1 file changed, 20 insertions(+) > > + > > +diff --git a/lib/buffers.c b/lib/buffers.c > > +index d54c77022..5d4d16276 100644 > > +--- a/lib/buffers.c > > ++++ b/lib/buffers.c > > +@@ -1010,6 +1010,26 @@ static int > merge_handshake_packet(gnutls_session_t session, > > + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); > > + > > + } else { > > ++ if (hsk->length != recv_buf[pos].length) { > > ++ /* inconsistent across fragments */ > > ++ _gnutls_handshake_buffer_clear(hsk); > > ++ return gnutls_assert_val( > > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > > ++ } > > ++ /* start_offset + data.length <= hsk->length <= max_length > */ > > ++ if (hsk->length < hsk->start_offset + hsk->data.length) { > > ++ /* impossible claims, overflow requested */ > > ++ _gnutls_handshake_buffer_clear(hsk); > > ++ return gnutls_assert_val( > > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > > ++ } > > ++ if (hsk->length > recv_buf[pos].data.max_length) { > > ++ /* we don't have this much allocated, overflow > guard */ > > ++ _gnutls_handshake_buffer_clear(hsk); > > ++ return gnutls_assert_val( > > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > > ++ } > > ++ > > + if (hsk->start_offset < recv_buf[pos].start_offset && > > + hsk->end_offset + 1 >= recv_buf[pos].start_offset) { > > + memcpy(&recv_buf[pos].data.data[hsk->start_offset], > > +-- > > +2.43.0 > > + > > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb > b/meta/recipes-support/gnutls/gnutls_3.8.4.bb > > index ccb6a2b4b2..e40a654a8e 100644 > > --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb > > +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb > > @@ -43,6 +43,8 @@ SRC_URI = " > https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar > > file://CVE-2025-14831-7.patch \ > > file://CVE-2025-14831-8.patch \ > > file://CVE-2025-14831-9.patch \ > > + file://CVE-2026-33846-pre.patch \ > > + file://CVE-2026-33846.patch \ > > " > > > > SRC_URI[sha256sum] = > "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" > > > -- > Yoann Congal > Smile ECS > > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238153): https://lists.openembedded.org/g/openembedded-core/message/238153 Mute This Topic: https://lists.openembedded.org/mt/119404633/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
