On Tue Feb 24, 2026 at 5:25 AM CET, Vijay Anusuri wrote: > Hi Yoann, > > I will send it for Whinlatter soon.
Received, thanks! > I couldn't see this patch in scarthgap-nut. Any update on this? I had to wait for you to send the whinlatter patch first. That's why it did not appear. I'll review them during the next cycle for scarthgap and whinlatter. > Thanks & Regards, > Vijay > > > > On Tue, Feb 17, 2026 at 2:34 PM Yoann Congal <[email protected]> wrote: > >> On Tue Feb 17, 2026 at 9:14 AM CET, Vijay Anusuri via >> lists.openembedded.org wrote: >> > Picked commits which mentions this CVE per [1]. >> > >> > [1] https://ubuntu.com/security/CVE-2025-14831 >> > [2] https://security-tracker.debian.org/tracker/CVE-2025-14831 >> > [3] https://gitlab.com/gnutls/gnutls/-/issues/1773 >> > >> > Signed-off-by: Vijay Anusuri <[email protected]> >> > --- >> > .../gnutls/gnutls/CVE-2025-14831-1.patch | 61 +++ >> > .../gnutls/gnutls/CVE-2025-14831-2.patch | 30 ++ >> > .../gnutls/gnutls/CVE-2025-14831-3.patch | 45 ++ >> > .../gnutls/gnutls/CVE-2025-14831-4.patch | 200 +++++++ >> > .../gnutls/gnutls/CVE-2025-14831-5.patch | 500 ++++++++++++++++++ >> > .../gnutls/gnutls/CVE-2025-14831-6.patch | 119 +++++ >> > .../gnutls/gnutls/CVE-2025-14831-7.patch | 150 ++++++ >> > .../gnutls/gnutls/CVE-2025-14831-8.patch | 105 ++++ >> > .../gnutls/gnutls/CVE-2025-14831-9.patch | 437 +++++++++++++++ >> > meta/recipes-support/gnutls/gnutls_3.8.4.bb | 9 + >> > 10 files changed, 1656 insertions(+) >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch >> > create mode 100644 >> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch >> >> Hello, >> >> It looks like these patches are also needed for whinlatter. >> Can you send this fix for whinlatter? >> >> Thanks! >> >> > >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch >> > new file mode 100644 >> > index 0000000000..ae52a43a2c >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch >> > @@ -0,0 +1,61 @@ >> > +From 0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Mon, 26 Jan 2026 19:02:27 +0100 >> > +Subject: [PATCH] x509/name_constraints: use actual zeroes in universal >> exclude >> > + IP NC >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 9 +++++---- >> > + 1 file changed, 5 insertions(+), 4 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -61,7 +61,7 @@ struct gnutls_name_constraints_st { >> > + >> > + static struct name_constraints_node_st * >> > + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned >> type, >> > +- unsigned char *data, unsigned int size); >> > ++ const unsigned char *data, unsigned int size); >> > + >> > + static int >> > + name_constraints_node_list_add(struct name_constraints_node_list_st >> *list, >> > +@@ -285,7 +285,7 @@ static void name_constraints_node_free(s >> > + -*/ >> > + static struct name_constraints_node_st * >> > + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned >> type, >> > +- unsigned char *data, unsigned int size) >> > ++ const unsigned char *data, unsigned int size) >> > + { >> > + struct name_constraints_node_st *tmp; >> > + int ret; >> > +@@ -339,6 +339,7 @@ static int name_constraints_node_list_in >> > + struct name_constraints_node_list_st removed = { .data = NULL, >> > + .size = 0, >> > + .capacity = 0 }; >> > ++ static const unsigned char universal_ip[32] = { 0 }; >> > + >> > + /* temporary array to see, if we need to add universal excluded >> constraints >> > + * (see phase 3 for details) >> > +@@ -471,7 +472,7 @@ static int name_constraints_node_list_in >> > + case GNUTLS_SAN_IPADDRESS: >> > + // add universal restricted range for IPv4 >> > + tmp = name_constraints_node_new( >> > +- nc, GNUTLS_SAN_IPADDRESS, NULL, 8); >> > ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); >> > + if (tmp == NULL) { >> > + gnutls_assert(); >> > + ret = GNUTLS_E_MEMORY_ERROR; >> > +@@ -484,7 +485,7 @@ static int name_constraints_node_list_in >> > + } >> > + // add universal restricted range for IPv6 >> > + tmp = name_constraints_node_new( >> > +- nc, GNUTLS_SAN_IPADDRESS, NULL, 32); >> > ++ nc, GNUTLS_SAN_IPADDRESS, universal_ip, >> 32); >> > + if (tmp == NULL) { >> > + gnutls_assert(); >> > + ret = GNUTLS_E_MEMORY_ERROR; >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch >> > new file mode 100644 >> > index 0000000000..0d34032554 >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch >> > @@ -0,0 +1,30 @@ >> > +From 85d6348a30c74d4ee3710e0f4652f634eaad6914 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Mon, 26 Jan 2026 19:10:58 +0100 >> > +Subject: [PATCH] tests/name-constraints-ip: stop swallowing errors... >> > + >> > +... now when it started to pass >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/85d6348a30c74d4ee3710e0f4652f634eaad6914 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + tests/name-constraints-ip.c | 2 +- >> > + 1 file changed, 1 insertion(+), 1 deletion(-) >> > + >> > +diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c >> > +index 7a196088dc..a0cf172b7f 100644 >> > +--- a/tests/name-constraints-ip.c >> > ++++ b/tests/name-constraints-ip.c >> > +@@ -772,5 +772,5 @@ int main(int argc, char **argv) >> > + cmocka_unit_test_setup_teardown( >> > + check_ipv4v6_single_constraint_each, setup, >> teardown) >> > + }; >> > +- cmocka_run_group_tests(tests, NULL, NULL); >> > ++ return cmocka_run_group_tests(tests, NULL, NULL); >> > + } >> > +-- >> > +GitLab >> > + >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch >> > new file mode 100644 >> > index 0000000000..ed4a7da3c7 >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch >> > @@ -0,0 +1,45 @@ >> > +From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Mon, 26 Jan 2026 20:14:33 +0100 >> > +Subject: [PATCH] x509/name_constraints: reject some malformed domain >> names >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 17 +++++++++++++++++ >> > + 1 file changed, 17 insertions(+) >> > + >> > +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c >> > +index d07482e3c9..9783d92851 100644 >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -159,6 +159,23 @@ static int >> validate_name_constraints_node(gnutls_x509_subject_alt_name_t type, >> > + return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR); >> > + } >> > + >> > ++ /* Validate DNS names and email addresses for malformed input */ >> > ++ if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) { >> > ++ unsigned int i; >> > ++ if (name->size == 0) >> > ++ return GNUTLS_E_SUCCESS; >> > ++ >> > ++ /* reject names with consecutive dots... */ >> > ++ for (i = 0; i + 1 < name->size; i++) { >> > ++ if (name->data[i] == '.' && name->data[i + 1] == >> '.') >> > ++ return gnutls_assert_val( >> > ++ GNUTLS_E_ILLEGAL_PARAMETER); >> > ++ } >> > ++ /* ... or names consisting exclusively of dots */ >> > ++ if (name->size == 1 && name->data[0] == '.') >> > ++ return >> gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); >> > ++ } >> > ++ >> > + return GNUTLS_E_SUCCESS; >> > + } >> > + >> > +-- >> > +GitLab >> > + >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch >> > new file mode 100644 >> > index 0000000000..99ec9c5e9a >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch >> > @@ -0,0 +1,200 @@ >> > +From 6db7da7fcfe230f445b1edbb56e2a8346120c891 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Thu, 5 Feb 2026 13:22:10 +0100 >> > +Subject: [PATCH] x509/name_constraints: >> name_constraints_node_add_{new,copy} >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/6db7da7fcfe230f445b1edbb56e2a8346120c891 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 112 ++++++++++++++++-------------------- >> > + 1 file changed, 51 insertions(+), 61 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -86,6 +86,38 @@ name_constraints_node_list_add(struct na >> > + return 0; >> > + } >> > + >> > ++static int >> > ++name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, >> > ++ struct name_constraints_node_list_st *list, >> > ++ unsigned type, const unsigned char *data, >> > ++ unsigned int size) >> > ++{ >> > ++ struct name_constraints_node_st *node; >> > ++ int ret; >> > ++ node = name_constraints_node_new(nc, type, data, size); >> > ++ if (node == NULL) { >> > ++ gnutls_assert(); >> > ++ return GNUTLS_E_MEMORY_ERROR; >> > ++ } >> > ++ ret = name_constraints_node_list_add(list, node); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ return ret; >> > ++ } >> > ++ return GNUTLS_E_SUCCESS; >> > ++} >> > ++ >> > ++static int >> > ++name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc, >> > ++ struct name_constraints_node_list_st *dest, >> > ++ const struct name_constraints_node_st *src) >> > ++{ >> > ++ if (!src) >> > ++ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); >> > ++ return name_constraints_node_add_new(nc, dest, src->type, >> > ++ src->name.data, >> src->name.size); >> > ++} >> > ++ >> > + // for documentation see the implementation >> > + static int name_constraints_intersect_nodes( >> > + gnutls_x509_name_constraints_t nc, >> > +@@ -188,7 +220,6 @@ static int extract_name_constraints(gnut >> > + unsigned indx; >> > + gnutls_datum_t tmp = { NULL, 0 }; >> > + unsigned int type; >> > +- struct name_constraints_node_st *node; >> > + >> > + for (indx = 1;; indx++) { >> > + snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, >> indx); >> > +@@ -231,15 +262,9 @@ static int extract_name_constraints(gnut >> > + goto cleanup; >> > + } >> > + >> > +- node = name_constraints_node_new(nc, type, tmp.data, >> tmp.size); >> > ++ ret = name_constraints_node_add_new(nc, nodes, type, >> tmp.data, >> > ++ tmp.size); >> > + _gnutls_free_datum(&tmp); >> > +- if (node == NULL) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_MEMORY_ERROR; >> > +- goto cleanup; >> > +- } >> > +- >> > +- ret = name_constraints_node_list_add(nodes, node); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + goto cleanup; >> > +@@ -459,14 +484,7 @@ static int name_constraints_node_list_in >> > + // Beware: also copies nodes other than DNS, email, IP, >> > + // since their counterpart may have been moved in >> phase 1. >> > + if (!used) { >> > +- tmp = name_constraints_node_new( >> > +- nc, t2->type, t2->name.data, >> t2->name.size); >> > +- if (tmp == NULL) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_MEMORY_ERROR; >> > +- goto cleanup; >> > +- } >> > +- ret = name_constraints_node_list_add(permitted, >> tmp); >> > ++ ret = name_constraints_node_add_copy(nc, >> permitted, t2); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + goto cleanup; >> > +@@ -488,27 +506,17 @@ static int name_constraints_node_list_in >> > + switch (type) { >> > + case GNUTLS_SAN_IPADDRESS: >> > + // add universal restricted range for IPv4 >> > +- tmp = name_constraints_node_new( >> > +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8); >> > +- if (tmp == NULL) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_MEMORY_ERROR; >> > +- goto cleanup; >> > +- } >> > +- ret = name_constraints_node_list_add(excluded, >> tmp); >> > ++ ret = name_constraints_node_add_new( >> > ++ nc, excluded, GNUTLS_SAN_IPADDRESS, >> > ++ universal_ip, 8); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + goto cleanup; >> > + } >> > + // add universal restricted range for IPv6 >> > +- tmp = name_constraints_node_new( >> > +- nc, GNUTLS_SAN_IPADDRESS, universal_ip, >> 32); >> > +- if (tmp == NULL) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_MEMORY_ERROR; >> > +- goto cleanup; >> > +- } >> > +- ret = name_constraints_node_list_add(excluded, >> tmp); >> > ++ ret = name_constraints_node_add_new( >> > ++ nc, excluded, GNUTLS_SAN_IPADDRESS, >> > ++ universal_ip, 32); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + goto cleanup; >> > +@@ -516,13 +524,8 @@ static int name_constraints_node_list_in >> > + break; >> > + case GNUTLS_SAN_DNSNAME: >> > + case GNUTLS_SAN_RFC822NAME: >> > +- tmp = name_constraints_node_new(nc, type, NULL, 0); >> > +- if (tmp == NULL) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_MEMORY_ERROR; >> > +- goto cleanup; >> > +- } >> > +- ret = name_constraints_node_list_add(excluded, >> tmp); >> > ++ ret = name_constraints_node_add_new(nc, excluded, >> type, >> > ++ NULL, 0); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + goto cleanup; >> > +@@ -544,20 +547,13 @@ static int name_constraints_node_list_co >> > + struct name_constraints_node_list_st *nodes, >> > + const struct name_constraints_node_list_st *nodes2) >> > + { >> > ++ int ret; >> > ++ >> > + for (size_t i = 0; i < nodes2->size; i++) { >> > +- const struct name_constraints_node_st *node = >> nodes2->data[i]; >> > +- struct name_constraints_node_st *tmp; >> > +- int ret; >> > +- >> > +- tmp = name_constraints_node_new(nc, node->type, >> node->name.data, >> > +- node->name.size); >> > +- if (tmp == NULL) { >> > +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); >> > +- } >> > +- ret = name_constraints_node_list_add(nodes, tmp); >> > ++ ret = name_constraints_node_add_copy(nc, nodes, >> > ++ nodes2->data[i]); >> > + if (ret < 0) { >> > +- name_constraints_node_free(tmp); >> > +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); >> > ++ return gnutls_assert_val(ret); >> > + } >> > + } >> > + >> > +@@ -687,7 +683,6 @@ static int name_constraints_add(gnutls_x >> > + gnutls_x509_subject_alt_name_t type, >> > + const gnutls_datum_t *name, unsigned >> permitted) >> > + { >> > +- struct name_constraints_node_st *tmp; >> > + struct name_constraints_node_list_st *nodes; >> > + int ret; >> > + >> > +@@ -697,15 +692,10 @@ static int name_constraints_add(gnutls_x >> > + >> > + nodes = permitted ? &nc->permitted : &nc->excluded; >> > + >> > +- tmp = name_constraints_node_new(nc, type, name->data, name->size); >> > +- if (tmp == NULL) >> > +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); >> > +- >> > +- ret = name_constraints_node_list_add(nodes, tmp); >> > +- if (ret < 0) { >> > +- name_constraints_node_free(tmp); >> > ++ ret = name_constraints_node_add_new(nc, nodes, type, name->data, >> > ++ name->size); >> > ++ if (ret < 0) >> > + return gnutls_assert_val(ret); >> > +- } >> > + >> > + return 0; >> > + } >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch >> > new file mode 100644 >> > index 0000000000..7c5ffdf6d8 >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch >> > @@ -0,0 +1,500 @@ >> > +From 094accd3ebec17ead6c391757eaa18763b72d83f Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Mon, 26 Jan 2026 20:16:36 +0100 >> > +Subject: [PATCH] x509/name_constraints: introduce a rich comparator >> > + >> > +These are preparatory changes before implementing N * log N intersection >> > +over sorted lists of constraints. >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/094accd3ebec17ead6c391757eaa18763b72d83f >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 411 ++++++++++++++++++++++++++++-------- >> > + 1 file changed, 320 insertions(+), 91 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -39,6 +39,9 @@ >> > + #include "ip.h" >> > + #include "ip-in-cidr.h" >> > + #include "intprops.h" >> > ++#include "minmax.h" >> > ++ >> > ++#include <string.h> >> > + >> > + #define MAX_NC_CHECKS (1 << 20) >> > + >> > +@@ -63,6 +66,282 @@ static struct name_constraints_node_st * >> > + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned >> type, >> > + const unsigned char *data, unsigned int size); >> > + >> > ++/* An enum for "rich" comparisons that not only let us sort name >> constraints, >> > ++ * children-before-parent, but also subsume them during intersection. >> */ >> > ++enum name_constraint_relation { >> > ++ NC_SORTS_BEFORE = -2, /* unrelated constraints */ >> > ++ NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort >> first */ >> > ++ NC_EQUAL = 0, /* exact match */ >> > ++ NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */ >> > ++ NC_SORTS_AFTER = 2 /* unrelated constraints */ >> > ++}; >> > ++ >> > ++/* A helper to compare just a pair of strings with this rich >> comparison */ >> > ++static enum name_constraint_relation >> > ++compare_strings(const void *n1, size_t n1_len, const void *n2, size_t >> n2_len) >> > ++{ >> > ++ int r = memcmp(n1, n2, MIN(n1_len, n2_len)); >> > ++ if (r < 0) >> > ++ return NC_SORTS_BEFORE; >> > ++ if (r > 0) >> > ++ return NC_SORTS_AFTER; >> > ++ if (n1_len < n2_len) >> > ++ return NC_SORTS_BEFORE; >> > ++ if (n1_len > n2_len) >> > ++ return NC_SORTS_AFTER; >> > ++ return NC_EQUAL; >> > ++} >> > ++ >> > ++/* Rich-compare DNS names. Example order/relationships: >> > ++ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE >> y.b */ >> > ++static enum name_constraint_relation compare_dns_names(const >> gnutls_datum_t *n1, >> > ++ const >> gnutls_datum_t *n2) >> > ++{ >> > ++ enum name_constraint_relation rel; >> > ++ unsigned int i, j, i_end, j_end; >> > ++ >> > ++ /* start from the end of each name */ >> > ++ i = i_end = n1->size; >> > ++ j = j_end = n2->size; >> > ++ >> > ++ /* skip the trailing dots for the comparison */ >> > ++ while (i && n1->data[i - 1] == '.') >> > ++ i_end = i = i - 1; >> > ++ while (j && n2->data[j - 1] == '.') >> > ++ j_end = j = j - 1; >> > ++ >> > ++ while (1) { >> > ++ // rewind back to beginning or an after-dot position >> > ++ while (i && n1->data[i - 1] != '.') >> > ++ i--; >> > ++ while (j && n2->data[j - 1] != '.') >> > ++ j--; >> > ++ >> > ++ rel = compare_strings(&n1->data[i], i_end - i, >> &n2->data[j], >> > ++ j_end - j); >> > ++ if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */ >> > ++ return NC_SORTS_BEFORE; >> > ++ if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */ >> > ++ return NC_SORTS_AFTER; >> > ++ if (!i && j) /* x.a INCLUDES z.x.a */ >> > ++ return NC_INCLUDES; >> > ++ if (i && !j) /* z.x.a INCLUDED_BY x.a */ >> > ++ return NC_INCLUDED_BY; >> > ++ >> > ++ if (!i && !j) /* r == 0, we ran out of components to >> compare */ >> > ++ return NC_EQUAL; >> > ++ /* r == 0, i && j: step back past a dot and keep comparing >> */ >> > ++ i_end = i = i - 1; >> > ++ j_end = j = j - 1; >> > ++ >> > ++ /* support for non-standard ".gr INCLUDES example.gr" [1] >> */ >> > ++ if (!i && j) /* .a INCLUDES x.a */ >> > ++ return NC_INCLUDES; >> > ++ if (i && !j) /* x.a INCLUDED_BY .a */ >> > ++ return NC_INCLUDED_BY; >> > ++ } >> > ++} >> > ++/* [1] >> https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */ >> > ++ >> > ++/* Rich-compare email name constraints. Example order/relationships: >> > ++ * [email protected] INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE >> y@b */ >> > ++static enum name_constraint_relation compare_emails(const >> gnutls_datum_t *n1, >> > ++ const gnutls_datum_t >> *n2) >> > ++{ >> > ++ enum name_constraint_relation domains_rel; >> > ++ unsigned int i, j, i_end, j_end; >> > ++ gnutls_datum_t d1, d2; /* borrow from n1 and n2 */ >> > ++ >> > ++ /* start from the end of each name */ >> > ++ i = i_end = n1->size; >> > ++ j = j_end = n2->size; >> > ++ >> > ++ /* rewind to @s to look for domains */ >> > ++ while (i && n1->data[i - 1] != '@') >> > ++ i--; >> > ++ d1.size = i_end - i; >> > ++ d1.data = &n1->data[i]; >> > ++ while (j && n2->data[j - 1] != '@') >> > ++ j--; >> > ++ d2.size = j_end - j; >> > ++ d2.data = &n2->data[j]; >> > ++ >> > ++ domains_rel = compare_dns_names(&d1, &d2); >> > ++ >> > ++ /* email constraint semantics differ from DNS >> > ++ * DNS: x.a INCLUDED_BY a >> > ++ * Email: x.a INCLUDED_BY .a BEFORE a */ >> > ++ if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) { >> > ++ bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.'); >> > ++ bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.'); >> > ++ /* a constraint without a dot is exact, excluding >> subdomains */ >> > ++ if (!d2_has_dot && domains_rel == NC_INCLUDED_BY) >> > ++ domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */ >> > ++ if (!d1_has_dot && domains_rel == NC_INCLUDES) >> > ++ domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */ >> > ++ } >> > ++ >> > ++ if (!i && !j) { /* both are domains-only */ >> > ++ return domains_rel; >> > ++ } else if (i && !j) { /* n1 is email, n2 is domain */ >> > ++ switch (domains_rel) { >> > ++ case NC_SORTS_AFTER: >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_SORTS_BEFORE: >> > ++ return NC_SORTS_BEFORE; >> > ++ case NC_INCLUDES: /* n2 is more specific, [email protected] AFTER >> z.x.a */ >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_EQUAL: /* subdomains match, [email protected] INCLUDED_BY x.a >> */ >> > ++ case NC_INCLUDED_BY: /* n1 is more specific */ >> > ++ return NC_INCLUDED_BY; >> > ++ } >> > ++ } else if (!i && j) { /* n1 is domain, n2 is email */ >> > ++ switch (domains_rel) { >> > ++ case NC_SORTS_AFTER: >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_SORTS_BEFORE: >> > ++ return NC_SORTS_BEFORE; >> > ++ case NC_INCLUDES: /* n2 is more specific, a AFTER [email protected] */ >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_EQUAL: /* subdomains match, x.a INCLUDES [email protected] */ >> > ++ return NC_INCLUDES; >> > ++ case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a >> */ >> > ++ return NC_SORTS_BEFORE; >> > ++ } >> > ++ } else if (i && j) { /* both are emails */ >> > ++ switch (domains_rel) { >> > ++ case NC_SORTS_AFTER: >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_SORTS_BEFORE: >> > ++ return NC_SORTS_BEFORE; >> > ++ case NC_INCLUDES: // n2 is more specific >> > ++ return NC_SORTS_AFTER; >> > ++ case NC_INCLUDED_BY: // n1 is more specific >> > ++ return NC_SORTS_BEFORE; >> > ++ case NC_EQUAL: // only case when we need to look before >> the @ >> > ++ break; // see below for readability >> > ++ } >> > ++ } >> > ++ >> > ++ /* i && j, both are emails, domain names match, compare up to @ */ >> > ++ return compare_strings(n1->data, i - 1, n2->data, j - 1); >> > ++} >> > ++ >> > ++/* Rich-compare IP address constraints. Example order/relationships: >> > ++ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY >> 1::1/127 */ >> > ++static enum name_constraint_relation compare_ip_ncs(const >> gnutls_datum_t *n1, >> > ++ const gnutls_datum_t >> *n2) >> > ++{ >> > ++ unsigned int len, i; >> > ++ int r; >> > ++ const unsigned char *ip1, *ip2, *mask1, *mask2; >> > ++ unsigned char masked11[16], masked22[16], masked12[16], >> masked21[16]; >> > ++ >> > ++ if (n1->size < n2->size) >> > ++ return NC_SORTS_BEFORE; >> > ++ if (n1->size > n2->size) >> > ++ return NC_SORTS_AFTER; >> > ++ len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */ >> > ++ >> > ++ /* data is a concatenation of prefix and mask */ >> > ++ ip1 = n1->data; >> > ++ ip2 = n2->data; >> > ++ mask1 = n1->data + len; >> > ++ mask2 = n2->data + len; >> > ++ for (i = 0; i < len; i++) { >> > ++ masked11[i] = ip1[i] & mask1[i]; >> > ++ masked22[i] = ip2[i] & mask2[i]; >> > ++ masked12[i] = ip1[i] & mask2[i]; >> > ++ masked21[i] = ip2[i] & mask1[i]; >> > ++ } >> > ++ >> > ++ r = memcmp(mask1, mask2, len); >> > ++ if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < >> prefix2 */ >> > ++ return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */ >> > ++ if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > >> prefix2 */ >> > ++ return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */ >> > ++ >> > ++ r = memcmp(masked11, masked22, len); >> > ++ if (r < 0) >> > ++ return NC_SORTS_BEFORE; >> > ++ else if (r > 0) >> > ++ return NC_SORTS_AFTER; >> > ++ return NC_EQUAL; >> > ++} >> > ++ >> > ++static inline bool is_supported_type(unsigned type) >> > ++{ >> > ++ return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME >> || >> > ++ type == GNUTLS_SAN_IPADDRESS; >> > ++} >> > ++ >> > ++/* Universal comparison for name constraint nodes. >> > ++ * Unsupported types sort before supported types to allow early >> handling. >> > ++ * NULL represents end-of-list and sorts after everything else. */ >> > ++static enum name_constraint_relation >> > ++compare_name_constraint_nodes(const struct name_constraints_node_st >> *n1, >> > ++ const struct name_constraints_node_st *n2) >> > ++{ >> > ++ bool n1_supported, n2_supported; >> > ++ >> > ++ if (!n1 && !n2) >> > ++ return NC_EQUAL; >> > ++ if (!n1) >> > ++ return NC_SORTS_AFTER; >> > ++ if (!n2) >> > ++ return NC_SORTS_BEFORE; >> > ++ >> > ++ n1_supported = is_supported_type(n1->type); >> > ++ n2_supported = is_supported_type(n2->type); >> > ++ >> > ++ /* unsupported types bubble up (sort first). intersect relies on >> this */ >> > ++ if (!n1_supported && n2_supported) >> > ++ return NC_SORTS_BEFORE; >> > ++ if (n1_supported && !n2_supported) >> > ++ return NC_SORTS_AFTER; >> > ++ >> > ++ /* next, sort by type */ >> > ++ if (n1->type < n2->type) >> > ++ return NC_SORTS_BEFORE; >> > ++ if (n1->type > n2->type) >> > ++ return NC_SORTS_AFTER; >> > ++ >> > ++ /* now look deeper */ >> > ++ switch (n1->type) { >> > ++ case GNUTLS_SAN_DNSNAME: >> > ++ return compare_dns_names(&n1->name, &n2->name); >> > ++ case GNUTLS_SAN_RFC822NAME: >> > ++ return compare_emails(&n1->name, &n2->name); >> > ++ case GNUTLS_SAN_IPADDRESS: >> > ++ return compare_ip_ncs(&n1->name, &n2->name); >> > ++ default: >> > ++ /* unsupported types: stable lexicographic order */ >> > ++ return compare_strings(n1->name.data, n1->name.size, >> > ++ n2->name.data, n2->name.size); >> > ++ } >> > ++} >> > ++ >> > ++/* qsort-compatible wrapper */ >> > ++static int compare_name_constraint_nodes_qsort(const void *a, const >> void *b) >> > ++{ >> > ++ const struct name_constraints_node_st *const *n1 = a; >> > ++ const struct name_constraints_node_st *const *n2 = b; >> > ++ enum name_constraint_relation rel; >> > ++ >> > ++ rel = compare_name_constraint_nodes(*n1, *n2); >> > ++ switch (rel) { >> > ++ case NC_SORTS_BEFORE: >> > ++ case NC_INCLUDED_BY: >> > ++ return -1; >> > ++ case NC_SORTS_AFTER: >> > ++ case NC_INCLUDES: >> > ++ return 1; >> > ++ case NC_EQUAL: >> > ++ default: >> > ++ return 0; >> > ++ } >> > ++} >> > ++ >> > + static int >> > + name_constraints_node_list_add(struct name_constraints_node_list_st >> *list, >> > + struct name_constraints_node_st *node) >> > +@@ -420,9 +699,7 @@ static int name_constraints_node_list_in >> > + } >> > + } >> > + >> > +- if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME || >> > +- t->type == GNUTLS_SAN_RFC822NAME || >> > +- t->type == GNUTLS_SAN_IPADDRESS)) { >> > ++ if (found != NULL && is_supported_type(t->type)) { >> > + /* move node from PERMITTED to REMOVED */ >> > + ret = name_constraints_node_list_add(&removed, t); >> > + if (ret < 0) { >> > +@@ -824,61 +1101,14 @@ cleanup: >> > + return ret; >> > + } >> > + >> > +-static unsigned ends_with(const gnutls_datum_t *str, >> > +- const gnutls_datum_t *suffix) >> > +-{ >> > +- unsigned char *tree; >> > +- unsigned int treelen; >> > +- >> > +- if (suffix->size >= str->size) >> > +- return 0; >> > +- >> > +- tree = suffix->data; >> > +- treelen = suffix->size; >> > +- if ((treelen > 0) && (tree[0] == '.')) { >> > +- tree++; >> > +- treelen--; >> > +- } >> > +- >> > +- if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 && >> > +- str->data[str->size - treelen - 1] == '.') >> > +- return 1; /* match */ >> > +- >> > +- return 0; >> > +-} >> > +- >> > +-static unsigned email_ends_with(const gnutls_datum_t *str, >> > +- const gnutls_datum_t *suffix) >> > +-{ >> > +- if (suffix->size >= str->size) { >> > +- return 0; >> > +- } >> > +- >> > +- if (suffix->size > 0 && memcmp(str->data + str->size - >> suffix->size, >> > +- suffix->data, suffix->size) != 0) { >> > +- return 0; >> > +- } >> > +- >> > +- if (suffix->size > 1 && suffix->data[0] == '.') { /* .domain.com >> */ >> > +- return 1; /* match */ >> > +- } else if (str->data[str->size - suffix->size - 1] == '@') { >> > +- return 1; /* match */ >> > +- } >> > +- >> > +- return 0; >> > +-} >> > +- >> > + static unsigned dnsname_matches(const gnutls_datum_t *name, >> > + const gnutls_datum_t *suffix) >> > + { >> > + _gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", >> name->size, >> > + name->data, suffix->size, suffix->data); >> > + >> > +- if (suffix->size == name->size && >> > +- memcmp(suffix->data, name->data, suffix->size) == 0) >> > +- return 1; /* match */ >> > +- >> > +- return ends_with(name, suffix); >> > ++ enum name_constraint_relation rel = compare_dns_names(name, >> suffix); >> > ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; >> > + } >> > + >> > + static unsigned email_matches(const gnutls_datum_t *name, >> > +@@ -887,11 +1117,8 @@ static unsigned email_matches(const gnut >> > + _gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n", >> > + name->size, name->data, suffix->size, >> suffix->data); >> > + >> > +- if (suffix->size == name->size && >> > +- memcmp(suffix->data, name->data, suffix->size) == 0) >> > +- return 1; /* match */ >> > +- >> > +- return email_ends_with(name, suffix); >> > ++ enum name_constraint_relation rel = compare_emails(name, suffix); >> > ++ return rel == NC_EQUAL || rel == NC_INCLUDED_BY; >> > + } >> > + >> > + /*- >> > +@@ -915,8 +1142,7 @@ static int name_constraints_intersect_no >> > + // presume empty intersection >> > + struct name_constraints_node_st *intersection = NULL; >> > + const struct name_constraints_node_st *to_copy = NULL; >> > +- unsigned iplength = 0; >> > +- unsigned byte; >> > ++ enum name_constraint_relation rel; >> > + >> > + *_intersection = NULL; >> > + >> > +@@ -925,32 +1151,49 @@ static int name_constraints_intersect_no >> > + } >> > + switch (node1->type) { >> > + case GNUTLS_SAN_DNSNAME: >> > +- if (!dnsname_matches(&node2->name, &node1->name)) >> > ++ rel = compare_dns_names(&node1->name, &node2->name); >> > ++ switch (rel) { >> > ++ case NC_EQUAL: // equal means doesn't matter which one >> > ++ case NC_INCLUDES: // node2 is more specific >> > ++ to_copy = node2; >> > ++ break; >> > ++ case NC_INCLUDED_BY: // node1 is more specific >> > ++ to_copy = node1; >> > ++ break; >> > ++ case NC_SORTS_BEFORE: // no intersection >> > ++ case NC_SORTS_AFTER: // no intersection >> > + return GNUTLS_E_SUCCESS; >> > +- to_copy = node2; >> > ++ } >> > + break; >> > + case GNUTLS_SAN_RFC822NAME: >> > +- if (!email_matches(&node2->name, &node1->name)) >> > ++ rel = compare_emails(&node1->name, &node2->name); >> > ++ switch (rel) { >> > ++ case NC_EQUAL: // equal means doesn't matter which one >> > ++ case NC_INCLUDES: // node2 is more specific >> > ++ to_copy = node2; >> > ++ break; >> > ++ case NC_INCLUDED_BY: // node1 is more specific >> > ++ to_copy = node1; >> > ++ break; >> > ++ case NC_SORTS_BEFORE: // no intersection >> > ++ case NC_SORTS_AFTER: // no intersection >> > + return GNUTLS_E_SUCCESS; >> > +- to_copy = node2; >> > ++ } >> > + break; >> > + case GNUTLS_SAN_IPADDRESS: >> > +- if (node1->name.size != node2->name.size) >> > ++ rel = compare_ip_ncs(&node1->name, &node2->name); >> > ++ switch (rel) { >> > ++ case NC_EQUAL: // equal means doesn't matter which one >> > ++ case NC_INCLUDES: // node2 is more specific >> > ++ to_copy = node2; >> > ++ break; >> > ++ case NC_INCLUDED_BY: // node1 is more specific >> > ++ to_copy = node1; >> > ++ break; >> > ++ case NC_SORTS_BEFORE: // no intersection >> > ++ case NC_SORTS_AFTER: // no intersection >> > + return GNUTLS_E_SUCCESS; >> > +- iplength = node1->name.size / 2; >> > +- for (byte = 0; byte < iplength; byte++) { >> > +- if (((node1->name.data[byte] ^ >> > +- node2->name.data[byte]) // XOR of addresses >> > +- & node1->name.data[byte + >> > +- iplength] // AND mask from >> nc1 >> > +- & node2->name.data[byte + >> > +- iplength]) // AND mask >> from nc2 >> > +- != 0) { >> > +- // CIDRS do not intersect >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > + } >> > +- to_copy = node2; >> > + break; >> > + default: >> > + // for other types, we don't know how to do the >> intersection, assume empty >> > +@@ -967,20 +1210,6 @@ static int name_constraints_intersect_no >> > + intersection = *_intersection; >> > + >> > + assert(intersection->name.data != NULL); >> > +- >> > +- if (intersection->type == GNUTLS_SAN_IPADDRESS) { >> > +- // make sure both IP addresses are correctly masked >> > +- _gnutls_mask_ip(intersection->name.data, >> > +- intersection->name.data + iplength, >> > +- iplength); >> > +- _gnutls_mask_ip(node1->name.data, >> > +- node1->name.data + iplength, >> iplength); >> > +- // update intersection, if necessary (we already >> know one is subset of other) >> > +- for (byte = 0; byte < 2 * iplength; byte++) { >> > +- intersection->name.data[byte] |= >> > +- node1->name.data[byte]; >> > +- } >> > +- } >> > + } >> > + >> > + return GNUTLS_E_SUCCESS; >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch >> > new file mode 100644 >> > index 0000000000..6dc599dd9f >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch >> > @@ -0,0 +1,119 @@ >> > +From bc62fbb946085527b4b1c02f337dd10c68c54690 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Wed, 4 Feb 2026 09:09:46 +0100 >> > +Subject: [PATCH] x509/name_constraints: add sorted_view in >> preparation... >> > + >> > +... for actually using it later for performance gains. >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/bc62fbb946085527b4b1c02f337dd10c68c54690 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 62 ++++++++++++++++++++++++++++++------- >> > + 1 file changed, 51 insertions(+), 11 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -54,6 +54,9 @@ struct name_constraints_node_list_st { >> > + struct name_constraints_node_st **data; >> > + size_t size; >> > + size_t capacity; >> > ++ /* sorted-on-demand view, valid only when dirty == false */ >> > ++ bool dirty; >> > ++ struct name_constraints_node_st **sorted_view; >> > + }; >> > + >> > + struct gnutls_name_constraints_st { >> > +@@ -342,6 +345,37 @@ static int compare_name_constraint_nodes >> > + } >> > + } >> > + >> > ++/* Bring the sorted view up to date with the list data; clear the >> dirty flag. */ >> > ++static int ensure_sorted(struct name_constraints_node_list_st *list) >> > ++{ >> > ++ struct name_constraints_node_st **new_data; >> > ++ >> > ++ if (!list->dirty) >> > ++ return GNUTLS_E_SUCCESS; >> > ++ if (!list->size) { >> > ++ list->dirty = false; >> > ++ return GNUTLS_E_SUCCESS; >> > ++ } >> > ++ >> > ++ /* reallocate sorted view to match current size */ >> > ++ new_data = >> > ++ _gnutls_reallocarray(list->sorted_view, list->size, >> > ++ sizeof(struct >> name_constraints_node_st *)); >> > ++ if (!new_data) >> > ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); >> > ++ list->sorted_view = new_data; >> > ++ >> > ++ /* copy pointers and sort in-place */ >> > ++ memcpy(list->sorted_view, list->data, >> > ++ list->size * sizeof(struct name_constraints_node_st *)); >> > ++ qsort(list->sorted_view, list->size, >> > ++ sizeof(struct name_constraints_node_st *), >> > ++ compare_name_constraint_nodes_qsort); >> > ++ >> > ++ list->dirty = false; >> > ++ return GNUTLS_E_SUCCESS; >> > ++} >> > ++ >> > + static int >> > + name_constraints_node_list_add(struct name_constraints_node_list_st >> *list, >> > + struct name_constraints_node_st *node) >> > +@@ -361,10 +395,23 @@ name_constraints_node_list_add(struct na >> > + list->capacity = new_capacity; >> > + list->data = new_data; >> > + } >> > ++ list->dirty = true; >> > + list->data[list->size++] = node; >> > + return 0; >> > + } >> > + >> > ++static void >> > ++name_constraints_node_list_clear(struct name_constraints_node_list_st >> *list) >> > ++{ >> > ++ gnutls_free(list->data); >> > ++ gnutls_free(list->sorted_view); >> > ++ list->data = NULL; >> > ++ list->sorted_view = NULL; >> > ++ list->capacity = 0; >> > ++ list->size = 0; >> > ++ list->dirty = false; >> > ++} >> > ++ >> > + static int >> > + name_constraints_node_add_new(gnutls_x509_name_constraints_t nc, >> > + struct name_constraints_node_list_st *list, >> > +@@ -711,6 +758,7 @@ static int name_constraints_node_list_in >> > + permitted->data[i] = >> > + permitted->data[permitted->size - >> 1]; >> > + permitted->size--; >> > ++ permitted->dirty = true; >> > + continue; >> > + } >> > + i++; >> > +@@ -905,17 +953,9 @@ void _gnutls_x509_name_constraints_clear >> > + struct name_constraints_node_st *node = nc->nodes.data[i]; >> > + name_constraints_node_free(node); >> > + } >> > +- gnutls_free(nc->nodes.data); >> > +- nc->nodes.capacity = 0; >> > +- nc->nodes.size = 0; >> > +- >> > +- gnutls_free(nc->permitted.data); >> > +- nc->permitted.capacity = 0; >> > +- nc->permitted.size = 0; >> > +- >> > +- gnutls_free(nc->excluded.data); >> > +- nc->excluded.capacity = 0; >> > +- nc->excluded.size = 0; >> > ++ name_constraints_node_list_clear(&nc->nodes); >> > ++ name_constraints_node_list_clear(&nc->permitted); >> > ++ name_constraints_node_list_clear(&nc->excluded); >> > + } >> > + >> > + /** >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch >> > new file mode 100644 >> > index 0000000000..846862007f >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch >> > @@ -0,0 +1,150 @@ >> > +From 80db5e90fa18d3e34bb91dd027bdf76d31e93dcd Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Wed, 4 Feb 2026 13:30:08 +0100 >> > +Subject: [PATCH] x509/name_constraints: implement >> > + name_constraints_node_list_union >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/80db5e90fa18d3e34bb91dd027bdf76d31e93dcd >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 98 ++++++++++++++++++++++++++++++++----- >> > + 1 file changed, 86 insertions(+), 12 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -41,6 +41,7 @@ >> > + #include "intprops.h" >> > + #include "minmax.h" >> > + >> > ++#include <assert.h> >> > + #include <string.h> >> > + >> > + #define MAX_NC_CHECKS (1 << 20) >> > +@@ -867,22 +868,95 @@ cleanup: >> > + return ret; >> > + } >> > + >> > +-static int name_constraints_node_list_concat( >> > +- gnutls_x509_name_constraints_t nc, >> > +- struct name_constraints_node_list_st *nodes, >> > +- const struct name_constraints_node_list_st *nodes2) >> > ++static int >> > ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, >> > ++ struct name_constraints_node_list_st >> *nodes, >> > ++ struct name_constraints_node_list_st >> *nodes2) >> > + { >> > + int ret; >> > ++ size_t i = 0, j = 0; >> > ++ struct name_constraints_node_st *nc1; >> > ++ const struct name_constraints_node_st *nc2; >> > ++ enum name_constraint_relation rel; >> > ++ struct name_constraints_node_list_st result = { 0 }; >> > ++ >> > ++ if (nodes2->size == 0) /* nothing to do */ >> > ++ return GNUTLS_E_SUCCESS; >> > ++ >> > ++ ret = ensure_sorted(nodes); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > ++ } >> > ++ ret = ensure_sorted(nodes2); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > ++ } >> > ++ >> > ++ /* traverse both lists in a single pass and merge them w/o >> duplicates */ >> > ++ while (i < nodes->size || j < nodes2->size) { >> > ++ nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL; >> > ++ nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL; >> > + >> > +- for (size_t i = 0; i < nodes2->size; i++) { >> > +- ret = name_constraints_node_add_copy(nc, nodes, >> > +- nodes2->data[i]); >> > ++ rel = compare_name_constraint_nodes(nc1, nc2); >> > ++ switch (rel) { >> > ++ case NC_SORTS_BEFORE: >> > ++ assert(nc1 != NULL); /* comparator-guaranteed */ >> > ++ ret = name_constraints_node_list_add(&result, nc1); >> > ++ i++; >> > ++ break; >> > ++ case NC_SORTS_AFTER: >> > ++ assert(nc2 != NULL); /* comparator-guaranteed */ >> > ++ ret = name_constraints_node_add_copy(nc, &result, >> nc2); >> > ++ j++; >> > ++ break; >> > ++ case NC_INCLUDES: /* nc1 is broader, shallow-copy it */ >> > ++ assert(nc1 != NULL && nc2 != NULL); /* comparator >> */ >> > ++ ret = name_constraints_node_list_add(&result, nc1); >> > ++ i++; >> > ++ j++; >> > ++ break; >> > ++ case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */ >> > ++ assert(nc1 != NULL && nc2 != NULL); /* comparator >> */ >> > ++ ret = name_constraints_node_add_copy(nc, &result, >> nc2); >> > ++ i++; >> > ++ j++; >> > ++ break; >> > ++ case NC_EQUAL: >> > ++ assert(nc1 != NULL && nc2 != NULL); /* loop >> condition */ >> > ++ ret = name_constraints_node_list_add(&result, nc1); >> > ++ i++; >> > ++ j++; >> > ++ break; >> > ++ } >> > + if (ret < 0) { >> > +- return gnutls_assert_val(ret); >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > + } >> > + } >> > + >> > +- return 0; >> > ++ gnutls_free(nodes->data); >> > ++ gnutls_free(nodes->sorted_view); >> > ++ nodes->data = result.data; >> > ++ nodes->sorted_view = NULL; >> > ++ nodes->size = result.size; >> > ++ nodes->capacity = result.capacity; >> > ++ nodes->dirty = true; >> > ++ /* since we know it's sorted, populate sorted_view almost for free >> */ >> > ++ nodes->sorted_view = gnutls_calloc( >> > ++ nodes->size, sizeof(struct name_constraints_node_st *)); >> > ++ if (!nodes->sorted_view) >> > ++ return GNUTLS_E_SUCCESS; /* we tried, no harm done */ >> > ++ memcpy(nodes->sorted_view, nodes->data, >> > ++ nodes->size * sizeof(struct name_constraints_node_st *)); >> > ++ nodes->dirty = false; >> > ++ >> > ++ result.data = NULL; >> > ++ return GNUTLS_E_SUCCESS; >> > ++cleanup: >> > ++ name_constraints_node_list_clear(&result); >> > ++ return gnutls_assert_val(ret); >> > + } >> > + >> > + /** >> > +@@ -1023,7 +1097,7 @@ static int name_constraints_add(gnutls_x >> > + * @nc2: The name constraints to be merged with >> > + * >> > + * This function will merge the provided name constraints structures >> > +- * as per RFC5280 p6.1.4. That is, the excluded constraints will be >> appended, >> > ++ * as per RFC5280 p6.1.4. That is, the excluded constraints will be >> unioned, >> > + * and permitted will be intersected. The intersection assumes that @nc >> > + * is the root CA constraints. >> > + * >> > +@@ -1045,8 +1119,8 @@ int _gnutls_x509_name_constraints_merge( >> > + return ret; >> > + } >> > + >> > +- ret = name_constraints_node_list_concat(nc, &nc->excluded, >> > +- &nc2->excluded); >> > ++ ret = name_constraints_node_list_union(nc, &nc->excluded, >> > ++ &nc2->excluded); >> > + if (ret < 0) { >> > + gnutls_assert(); >> > + return ret; >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch >> > new file mode 100644 >> > index 0000000000..9beca76a35 >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch >> > @@ -0,0 +1,105 @@ >> > +From d0ac999620c8c0aeb6939e1e92d884ca8e40b759 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Wed, 4 Feb 2026 18:31:37 +0100 >> > +Subject: [PATCH] x509/name_constraints: make >> types_with_empty_intersection a >> > + bitmask >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/d0ac999620c8c0aeb6939e1e92d884ca8e40b759 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + lib/x509/name_constraints.c | 39 +++++++++++++++++++++++++++---------- >> > + 1 file changed, 29 insertions(+), 10 deletions(-) >> > + >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -275,6 +275,7 @@ static enum name_constraint_relation com >> > + >> > + static inline bool is_supported_type(unsigned type) >> > + { >> > ++ /* all of these should be under GNUTLS_SAN_MAX (intersect >> bitmasks) */ >> > + return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME >> || >> > + type == GNUTLS_SAN_IPADDRESS; >> > + } >> > +@@ -683,6 +684,21 @@ name_constraints_node_new(gnutls_x509_na >> > + return tmp; >> > + } >> > + >> > ++static int >> > ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, >> > ++ struct name_constraints_node_list_st >> *nodes, >> > ++ struct name_constraints_node_list_st >> *nodes2); >> > ++ >> > ++#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */ >> > ++#define type_bitmask_set(mask, t) ((mask) |= (1u << (t))) >> > ++#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t))) >> > ++#define type_bitmask_in(mask, t) ((mask) & (1u << (t))) >> > ++/* C99-compatible compile-time assertions; gnutls_int.h undefines >> verify */ >> > ++typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1]; >> > ++typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 >> : -1]; >> > ++typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? >> 1 : -1]; >> > ++typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? >> 1 : -1]; >> > ++ >> > + /*- >> > + * @brief name_constraints_node_list_intersect: >> > + * @nc: %gnutls_x509_name_constraints_t >> > +@@ -710,12 +726,9 @@ static int name_constraints_node_list_in >> > + .capacity = 0 }; >> > + static const unsigned char universal_ip[32] = { 0 }; >> > + >> > +- /* temporary array to see, if we need to add universal excluded >> constraints >> > +- * (see phase 3 for details) >> > +- * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */ >> > +- unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX]; >> > +- memset(types_with_empty_intersection, 0, >> > +- sizeof(types_with_empty_intersection)); >> > ++ /* bitmask to see if we need to add universal excluded constraints >> > ++ * (see phase 3 for details) */ >> > ++ type_bitmask_t types_with_empty_intersection = 0; >> > + >> > + if (permitted->size == 0 || permitted2->size == 0) >> > + return 0; >> > +@@ -741,7 +754,8 @@ static int name_constraints_node_list_in >> > + // note the possibility of empty >> intersection for this type >> > + // if we add something to the intersection >> in phase 2, >> > + // we will reset this flag back to 0 then >> > +- types_with_empty_intersection[t->type - 1] >> = 1; >> > ++ >> type_bitmask_set(types_with_empty_intersection, >> > ++ t->type); >> > + found = t2; >> > + break; >> > + } >> > +@@ -795,8 +809,8 @@ static int name_constraints_node_list_in >> > + GNUTLS_E_INTERNAL_ERROR); >> > + } >> > + // we will not add universal excluded >> constraint for this type >> > +- types_with_empty_intersection[tmp->type - >> 1] = >> > +- 0; >> > ++ >> type_bitmask_clr(types_with_empty_intersection, >> > ++ tmp->type); >> > + // add intersection node to PERMITTED >> > + ret = >> name_constraints_node_list_add(permitted, >> > + tmp); >> > +@@ -824,7 +838,7 @@ static int name_constraints_node_list_in >> > + * excluded constraint with universal wildcard >> > + * (since the intersection of permitted is now empty). */ >> > + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { >> > +- if (types_with_empty_intersection[type - 1] == 0) >> > ++ if (!type_bitmask_in(types_with_empty_intersection, type)) >> > + continue; >> > + _gnutls_hard_log( >> > + "Adding universal excluded name constraint for >> type %d.\n", >> > +@@ -868,6 +882,11 @@ cleanup: >> > + return ret; >> > + } >> > + >> > ++#undef type_bitmask_t >> > ++#undef type_bitmask_set >> > ++#undef type_bitmask_clr >> > ++#undef type_bitmask_in >> > ++ >> > + static int >> > + name_constraints_node_list_union(gnutls_x509_name_constraints_t nc, >> > + struct name_constraints_node_list_st >> *nodes, >> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch >> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch >> > new file mode 100644 >> > index 0000000000..27ed995d8d >> > --- /dev/null >> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch >> > @@ -0,0 +1,437 @@ >> > +Backport of: >> > + >> > +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001 >> > +From: Alexander Sosedkin <[email protected]> >> > +Date: Wed, 4 Feb 2026 20:03:49 +0100 >> > +Subject: [PATCH] x509/name_constraints: >> name_constraints_node_list_intersect >> > + over sorted >> > + >> > +Fixes: #1773 >> > +Fixes: GNUTLS-SA-2026-02-09-2 >> > +Fixes: CVE-2025-14831 >> > + >> > +Signed-off-by: Alexander Sosedkin <[email protected]> >> > + >> > +Upstream-Status: Backport [ >> https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1 >> ] >> > +CVE: CVE-2025-14831 >> > +Signed-off-by: Vijay Anusuri <[email protected]> >> > +--- >> > + NEWS | 7 + >> > + lib/x509/name_constraints.c | 350 ++++++++++++++---------------------- >> > + 2 files changed, 142 insertions(+), 215 deletions(-) >> > + >> > +#diff --git a/NEWS b/NEWS >> > +#index e506db547a..96b7484fdf 100644 >> > +#--- a/NEWS >> > +#+++ b/NEWS >> > +#@@ -14,6 +14,13 @@ See the end for copying conditions. >> > +# Reported by Jaehun Lee. >> > +# [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] >> > +# >> > +#+** libgnutls: Fix name constraint processing performance issue >> > +#+ Verifying certificates with pathological amounts of name >> constraints >> > +#+ could lead to a denial of service attack via resource exhaustion. >> > +#+ Reworked processing algorithms exhibit better performance >> characteristics. >> > +#+ Reported by Tim Scheckenbach. >> > +#+ [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] >> > +#+ >> > +# ** libgnutls: Fix multiple unexploitable overflows >> > +# Reported by Tim Rühsen (#1783, #1786). >> > +# >> > +--- a/lib/x509/name_constraints.c >> > ++++ b/lib/x509/name_constraints.c >> > +@@ -446,13 +446,6 @@ name_constraints_node_add_copy(gnutls_x5 >> > + src->name.data, >> src->name.size); >> > + } >> > + >> > +-// for documentation see the implementation >> > +-static int name_constraints_intersect_nodes( >> > +- gnutls_x509_name_constraints_t nc, >> > +- const struct name_constraints_node_st *node1, >> > +- const struct name_constraints_node_st *node2, >> > +- struct name_constraints_node_st **intersection); >> > +- >> > + /*- >> > + * _gnutls_x509_name_constraints_is_empty: >> > + * @nc: name constraints structure >> > +@@ -716,129 +709,143 @@ typedef char assert_ipaddr[(GNUTLS_SAN_I >> > + static int name_constraints_node_list_intersect( >> > + gnutls_x509_name_constraints_t nc, >> > + struct name_constraints_node_list_st *permitted, >> > +- const struct name_constraints_node_list_st *permitted2, >> > ++ struct name_constraints_node_list_st *permitted2, >> > + struct name_constraints_node_list_st *excluded) >> > + { >> > +- struct name_constraints_node_st *tmp; >> > +- int ret, type, used; >> > +- struct name_constraints_node_list_st removed = { .data = NULL, >> > +- .size = 0, >> > +- .capacity = 0 }; >> > ++ struct name_constraints_node_st *nc1, *nc2; >> > ++ struct name_constraints_node_list_st result = { 0 }; >> > ++ struct name_constraints_node_list_st unsupp2 = { 0 }; >> > ++ enum name_constraint_relation rel; >> > ++ unsigned type; >> > ++ int ret = GNUTLS_E_SUCCESS; >> > ++ size_t i, j, p1_unsupp = 0, p2_unsupp = 0; >> > ++ type_bitmask_t universal_exclude_needed = 0; >> > ++ type_bitmask_t types_in_p1 = 0, types_in_p2 = 0; >> > + static const unsigned char universal_ip[32] = { 0 }; >> > + >> > +- /* bitmask to see if we need to add universal excluded constraints >> > +- * (see phase 3 for details) */ >> > +- type_bitmask_t types_with_empty_intersection = 0; >> > +- >> > + if (permitted->size == 0 || permitted2->size == 0) >> > +- return 0; >> > ++ return GNUTLS_E_SUCCESS; >> > + >> > +- /* Phase 1 >> > +- * For each name in PERMITTED, if a PERMITTED2 does not contain a >> name >> > +- * with the same type, move the original name to REMOVED. >> > +- * Do this also for node of unknown type (not DNS, email, IP) */ >> > +- for (size_t i = 0; i < permitted->size;) { >> > +- struct name_constraints_node_st *t = permitted->data[i]; >> > +- const struct name_constraints_node_st *found = NULL; >> > +- >> > +- for (size_t j = 0; j < permitted2->size; j++) { >> > +- const struct name_constraints_node_st *t2 = >> > +- permitted2->data[j]; >> > +- if (t->type == t2->type) { >> > +- // check bounds (we will use 't->type' as >> index) >> > +- if (t->type > GNUTLS_SAN_MAX || t->type == >> 0) { >> > +- gnutls_assert(); >> > +- ret = GNUTLS_E_INTERNAL_ERROR; >> > +- goto cleanup; >> > +- } >> > +- // note the possibility of empty >> intersection for this type >> > +- // if we add something to the intersection >> in phase 2, >> > +- // we will reset this flag back to 0 then >> > +- >> type_bitmask_set(types_with_empty_intersection, >> > +- t->type); >> > +- found = t2; >> > +- break; >> > +- } >> > ++ /* make sorted views of the arrays */ >> > ++ ret = ensure_sorted(permitted); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > ++ } >> > ++ ret = ensure_sorted(permitted2); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > ++ } >> > ++ >> > ++ /* deal with the leading unsupported types first: count, then >> union */ >> > ++ while (p1_unsupp < permitted->size && >> > ++ !is_supported_type(permitted->sorted_view[p1_unsupp]->type)) >> > ++ p1_unsupp++; >> > ++ while (p2_unsupp < permitted2->size && >> > ++ >> !is_supported_type(permitted2->sorted_view[p2_unsupp]->type)) >> > ++ p2_unsupp++; >> > ++ if (p1_unsupp) { /* copy p1 unsupported type pointers into result >> */ >> > ++ result.data = gnutls_calloc( >> > ++ p1_unsupp, sizeof(struct name_constraints_node_st >> *)); >> > ++ if (!result.data) { >> > ++ ret = GNUTLS_E_MEMORY_ERROR; >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > ++ } >> > ++ memcpy(result.data, permitted->sorted_view, >> > ++ p1_unsupp * sizeof(struct name_constraints_node_st >> *)); >> > ++ result.size = result.capacity = p1_unsupp; >> > ++ result.dirty = true; >> > ++ } >> > ++ if (p2_unsupp) { /* union will make deep copies from p2 */ >> > ++ unsupp2.data = permitted2->sorted_view; /* so, just alias >> */ >> > ++ unsupp2.size = unsupp2.capacity = p2_unsupp; >> > ++ unsupp2.dirty = false; /* we know it's sorted */ >> > ++ unsupp2.sorted_view = permitted2->sorted_view; >> > ++ ret = name_constraints_node_list_union(nc, &result, >> &unsupp2); >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > + } >> > ++ } >> > + >> > +- if (found != NULL && is_supported_type(t->type)) { >> > +- /* move node from PERMITTED to REMOVED */ >> > +- ret = name_constraints_node_list_add(&removed, t); >> > +- if (ret < 0) { >> > +- gnutls_assert(); >> > +- goto cleanup; >> > +- } >> > +- /* remove node by swapping */ >> > +- if (i < permitted->size - 1) >> > +- permitted->data[i] = >> > +- permitted->data[permitted->size - >> 1]; >> > +- permitted->size--; >> > +- permitted->dirty = true; >> > +- continue; >> > ++ /* with that out of the way, pre-compute the supported types we >> have */ >> > ++ for (i = p1_unsupp; i < permitted->size; i++) { >> > ++ type = permitted->sorted_view[i]->type; >> > ++ if (type < 1 || type > GNUTLS_SAN_MAX) { >> > ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); >> > ++ goto cleanup; >> > + } >> > +- i++; >> > ++ type_bitmask_set(types_in_p1, type); >> > + } >> > ++ for (j = p2_unsupp; j < permitted2->size; j++) { >> > ++ type = permitted2->sorted_view[j]->type; >> > ++ if (type < 1 || type > GNUTLS_SAN_MAX) { >> > ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); >> > ++ goto cleanup; >> > ++ } >> > ++ type_bitmask_set(types_in_p2, type); >> > ++ } >> > ++ /* universal excludes might be needed for types intersecting to >> empty */ >> > ++ universal_exclude_needed = types_in_p1 & types_in_p2; >> > + >> > +- /* Phase 2 >> > +- * iterate through all combinations from PERMITTED2 and PERMITTED >> > +- * and create intersections of nodes with same type */ >> > +- for (size_t i = 0; i < permitted2->size; i++) { >> > +- const struct name_constraints_node_st *t2 = >> permitted2->data[i]; >> > +- >> > +- // current PERMITTED2 node has not yet been used for any >> intersection >> > +- // (and is not in REMOVED either) >> > +- used = 0; >> > +- for (size_t j = 0; j < removed.size; j++) { >> > +- const struct name_constraints_node_st *t = >> > +- removed.data[j]; >> > +- // save intersection of name constraints into tmp >> > +- ret = name_constraints_intersect_nodes(nc, t, t2, >> &tmp); >> > +- if (ret < 0) { >> > +- gnutls_assert(); >> > +- goto cleanup; >> > +- } >> > +- used = 1; >> > +- // if intersection is not empty >> > +- if (tmp != >> > +- NULL) { // intersection for this type is not >> empty >> > +- // check bounds >> > +- if (tmp->type > GNUTLS_SAN_MAX || >> > +- tmp->type == 0) { >> > +- gnutls_free(tmp); >> > +- return gnutls_assert_val( >> > +- GNUTLS_E_INTERNAL_ERROR); >> > +- } >> > +- // we will not add universal excluded >> constraint for this type >> > +- >> type_bitmask_clr(types_with_empty_intersection, >> > +- tmp->type); >> > +- // add intersection node to PERMITTED >> > +- ret = >> name_constraints_node_list_add(permitted, >> > +- tmp); >> > +- if (ret < 0) { >> > +- gnutls_assert(); >> > +- goto cleanup; >> > +- } >> > +- } >> > ++ /* go through supported type NCs and intersect in a single pass */ >> > ++ i = p1_unsupp; >> > ++ j = p2_unsupp; >> > ++ while (i < permitted->size || j < permitted2->size) { >> > ++ nc1 = (i < permitted->size) ? permitted->sorted_view[i] : >> NULL; >> > ++ nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] : >> > ++ NULL; >> > ++ rel = compare_name_constraint_nodes(nc1, nc2); >> > ++ >> > ++ switch (rel) { >> > ++ case NC_SORTS_BEFORE: >> > ++ assert(nc1 != NULL); /* comparator-guaranteed */ >> > ++ /* if nothing to intersect with, shallow-copy nc1 >> */ >> > ++ if (!type_bitmask_in(types_in_p2, nc1->type)) >> > ++ ret = >> name_constraints_node_list_add(&result, >> > ++ nc1); >> > ++ i++; /* otherwise skip nc1 */ >> > ++ break; >> > ++ case NC_SORTS_AFTER: >> > ++ assert(nc2 != NULL); /* comparator-guaranteed */ >> > ++ /* if nothing to intersect with, deep-copy nc2 */ >> > ++ if (!type_bitmask_in(types_in_p1, nc2->type)) >> > ++ ret = name_constraints_node_add_copy( >> > ++ nc, &result, nc2); >> > ++ j++; /* otherwise skip nc2 */ >> > ++ break; >> > ++ case NC_INCLUDED_BY: /* add nc1, shallow-copy */ >> > ++ assert(nc1 != NULL && nc2 != NULL); /* comparator >> */ >> > ++ type_bitmask_clr(universal_exclude_needed, >> nc1->type); >> > ++ ret = name_constraints_node_list_add(&result, nc1); >> > ++ i++; >> > ++ break; >> > ++ case NC_INCLUDES: /* pick nc2, deep-copy */ >> > ++ assert(nc1 != NULL && nc2 != NULL); /* comparator >> */ >> > ++ type_bitmask_clr(universal_exclude_needed, >> nc2->type); >> > ++ ret = name_constraints_node_add_copy(nc, &result, >> nc2); >> > ++ j++; >> > ++ break; >> > ++ case NC_EQUAL: /* pick whichever: nc1, shallow-copy */ >> > ++ assert(nc1 != NULL && nc2 != NULL); /* loop >> condition */ >> > ++ type_bitmask_clr(universal_exclude_needed, >> nc1->type); >> > ++ ret = name_constraints_node_list_add(&result, nc1); >> > ++ i++; >> > ++ j++; >> > ++ break; >> > + } >> > +- // if the node from PERMITTED2 was not used for >> intersection, copy it to DEST >> > +- // Beware: also copies nodes other than DNS, email, IP, >> > +- // since their counterpart may have been moved in >> phase 1. >> > +- if (!used) { >> > +- ret = name_constraints_node_add_copy(nc, >> permitted, t2); >> > +- if (ret < 0) { >> > +- gnutls_assert(); >> > +- goto cleanup; >> > +- } >> > ++ if (ret < 0) { >> > ++ gnutls_assert(); >> > ++ goto cleanup; >> > + } >> > + } >> > + >> > +- /* Phase 3 >> > +- * For each type: If we have empty permitted name constraints now >> > +- * and we didn't have at the beginning, we have to add a new >> > +- * excluded constraint with universal wildcard >> > +- * (since the intersection of permitted is now empty). */ >> > ++ /* finishing touch: add universal excluded constraints for types >> where >> > ++ * both lists had constraints, but all intersections ended up >> empty */ >> > + for (type = 1; type <= GNUTLS_SAN_MAX; type++) { >> > +- if (!type_bitmask_in(types_with_empty_intersection, type)) >> > ++ if (!type_bitmask_in(universal_exclude_needed, type)) >> > + continue; >> > + _gnutls_hard_log( >> > + "Adding universal excluded name constraint for >> type %d.\n", >> > +@@ -871,14 +878,24 @@ static int name_constraints_node_list_in >> > + goto cleanup; >> > + } >> > + break; >> > +- default: // do nothing, at least one node was already >> moved in phase 1 >> > +- break; >> > ++ default: /* unsupported type; should be unreacheable */ >> > ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); >> > ++ goto cleanup; >> > + } >> > + } >> > +- ret = GNUTLS_E_SUCCESS; >> > + >> > ++ gnutls_free(permitted->data); >> > ++ gnutls_free(permitted->sorted_view); >> > ++ permitted->data = result.data; >> > ++ permitted->sorted_view = NULL; >> > ++ permitted->size = result.size; >> > ++ permitted->capacity = result.capacity; >> > ++ permitted->dirty = true; >> > ++ >> > ++ result.data = NULL; >> > ++ ret = GNUTLS_E_SUCCESS; >> > + cleanup: >> > +- gnutls_free(removed.data); >> > ++ name_constraints_node_list_clear(&result); >> > + return ret; >> > + } >> > + >> > +@@ -1254,100 +1271,6 @@ static unsigned email_matches(const gnut >> > + return rel == NC_EQUAL || rel == NC_INCLUDED_BY; >> > + } >> > + >> > +-/*- >> > +- * name_constraints_intersect_nodes: >> > +- * @nc1: name constraints node 1 >> > +- * @nc2: name constraints node 2 >> > +- * @_intersection: newly allocated node with intersected constraints, >> > +- * NULL if the intersection is empty >> > +- * >> > +- * Inspect 2 name constraints nodes (of possibly different types) and >> allocate >> > +- * a new node with intersection of given constraints. >> > +- * >> > +- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a >> negative error value. >> > +- -*/ >> > +-static int name_constraints_intersect_nodes( >> > +- gnutls_x509_name_constraints_t nc, >> > +- const struct name_constraints_node_st *node1, >> > +- const struct name_constraints_node_st *node2, >> > +- struct name_constraints_node_st **_intersection) >> > +-{ >> > +- // presume empty intersection >> > +- struct name_constraints_node_st *intersection = NULL; >> > +- const struct name_constraints_node_st *to_copy = NULL; >> > +- enum name_constraint_relation rel; >> > +- >> > +- *_intersection = NULL; >> > +- >> > +- if (node1->type != node2->type) { >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > +- switch (node1->type) { >> > +- case GNUTLS_SAN_DNSNAME: >> > +- rel = compare_dns_names(&node1->name, &node2->name); >> > +- switch (rel) { >> > +- case NC_EQUAL: // equal means doesn't matter which one >> > +- case NC_INCLUDES: // node2 is more specific >> > +- to_copy = node2; >> > +- break; >> > +- case NC_INCLUDED_BY: // node1 is more specific >> > +- to_copy = node1; >> > +- break; >> > +- case NC_SORTS_BEFORE: // no intersection >> > +- case NC_SORTS_AFTER: // no intersection >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > +- break; >> > +- case GNUTLS_SAN_RFC822NAME: >> > +- rel = compare_emails(&node1->name, &node2->name); >> > +- switch (rel) { >> > +- case NC_EQUAL: // equal means doesn't matter which one >> > +- case NC_INCLUDES: // node2 is more specific >> > +- to_copy = node2; >> > +- break; >> > +- case NC_INCLUDED_BY: // node1 is more specific >> > +- to_copy = node1; >> > +- break; >> > +- case NC_SORTS_BEFORE: // no intersection >> > +- case NC_SORTS_AFTER: // no intersection >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > +- break; >> > +- case GNUTLS_SAN_IPADDRESS: >> > +- rel = compare_ip_ncs(&node1->name, &node2->name); >> > +- switch (rel) { >> > +- case NC_EQUAL: // equal means doesn't matter which one >> > +- case NC_INCLUDES: // node2 is more specific >> > +- to_copy = node2; >> > +- break; >> > +- case NC_INCLUDED_BY: // node1 is more specific >> > +- to_copy = node1; >> > +- break; >> > +- case NC_SORTS_BEFORE: // no intersection >> > +- case NC_SORTS_AFTER: // no intersection >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > +- break; >> > +- default: >> > +- // for other types, we don't know how to do the >> intersection, assume empty >> > +- return GNUTLS_E_SUCCESS; >> > +- } >> > +- >> > +- // copy existing node if applicable >> > +- if (to_copy != NULL) { >> > +- *_intersection = name_constraints_node_new(nc, >> to_copy->type, >> > +- >> to_copy->name.data, >> > +- >> to_copy->name.size); >> > +- if (*_intersection == NULL) >> > +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); >> > +- intersection = *_intersection; >> > +- >> > +- assert(intersection->name.data != NULL); >> > +- } >> > +- >> > +- return GNUTLS_E_SUCCESS; >> > +-} >> > +- >> > + /* >> > + * Returns: true if the certification is acceptable, and false >> otherwise. >> > + */ >> > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> b/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> > index 026ae650f6..ccb6a2b4b2 100644 >> > --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> > +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb >> > @@ -34,6 +34,15 @@ SRC_URI = " >> https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar >> > file://CVE-2025-32990.patch \ >> > file://CVE-2025-6395.patch \ >> > file://CVE-2025-9820.patch \ >> > + file://CVE-2025-14831-1.patch \ >> > + file://CVE-2025-14831-2.patch \ >> > + file://CVE-2025-14831-3.patch \ >> > + file://CVE-2025-14831-4.patch \ >> > + file://CVE-2025-14831-5.patch \ >> > + file://CVE-2025-14831-6.patch \ >> > + file://CVE-2025-14831-7.patch \ >> > + file://CVE-2025-14831-8.patch \ >> > + file://CVE-2025-14831-9.patch \ >> > " >> > >> > SRC_URI[sha256sum] = >> "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" >> >> >> -- >> Yoann Congal >> Smile ECS >> >> -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231763): https://lists.openembedded.org/g/openembedded-core/message/231763 Mute This Topic: https://lists.openembedded.org/mt/117853869/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
