On Wed May 20, 2026 at 10:13 AM CEST, Hugo Simeliere via lists.openembedded.org wrote: > From: "Hugo SIMELIERE (Schneider Electric)" > <[email protected]> > > Pick patch from [1] as mentioned in Debian report in [2]. > Pick pre-patch [3] to minimize conflicts. > > [1] > https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78 > [2] https://security-tracker.debian.org/tracker/CVE-2026-33846 > [3] > https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0 > > Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > Reviewed-by: Bruno VERNAY <[email protected]> > --- > .../gnutls/gnutls/CVE-2026-33846-pre.patch | 97 +++++++++++++++++++ > .../gnutls/gnutls/CVE-2026-33846.patch | 67 +++++++++++++ > meta/recipes-support/gnutls/gnutls_3.8.4.bb | 2 + > 3 files changed, 166 insertions(+) > create mode 100644 > meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > new file mode 100644 > index 0000000000..71266cb338 > --- /dev/null > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846-pre.patch > @@ -0,0 +1,97 @@ > +From e51ef765b942968949e29797a73727c371397eea Mon Sep 17 00:00:00 2001 > +From: Alexander Sosedkin <[email protected]> > +Date: Fri, 17 Apr 2026 17:49:31 +0200 > +Subject: [PATCH 1/2] buffers: shorten merge_handshake_packet using recv_buf
As far as I can tell this patch is only cosmetic and I'd rather not merge it unless you have a compeling reason. To apply CVE-2026-33846.patch, it looks like you will need to change it to use "session->internals.handshake_recv_buffer" instead of "recv_buf". Regards, > + > +I had vague concerns about thread-safety of this, > +but then this pattern already exists within the file. > + > +CVE: CVE-2026-33846 > +Upstream-Status: Backport > [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0] > + > +Signed-off-by: Alexander Sosedkin <[email protected]> > +(cherry picked from commit 9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0) > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > +--- > + lib/buffers.c | 52 +++++++++++++++++---------------------------------- > + 1 file changed, 17 insertions(+), 35 deletions(-) > + > +diff --git a/lib/buffers.c b/lib/buffers.c > +index 672380b05..d54c77022 100644 > +--- a/lib/buffers.c > ++++ b/lib/buffers.c > +@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t > session, > + int exists = 0, i, pos = 0; > + int ret; > + > ++ handshake_buffer_st *recv_buf = > ++ session->internals.handshake_recv_buffer; > ++ > + for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) { > +- if (session->internals.handshake_recv_buffer[i].htype == > +- hsk->htype) { > ++ if (recv_buf[i].htype == hsk->htype) { > + exists = 1; > + pos = i; > + break; > +@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t > session, > + _gnutls_write_uint24(0, &hsk->header[6]); > + _gnutls_write_uint24(hsk->length, &hsk->header[9]); > + > +- _gnutls_handshake_buffer_move( > +- &session->internals.handshake_recv_buffer[pos], hsk); > ++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); > + > + } else { > +- if (hsk->start_offset < > +- session->internals.handshake_recv_buffer[pos] > +- .start_offset && > +- hsk->end_offset + 1 >= > +- session->internals.handshake_recv_buffer[pos] > +- .start_offset) { > +- memcpy(&session->internals.handshake_recv_buffer[pos] > +- .data.data[hsk->start_offset], > ++ if (hsk->start_offset < recv_buf[pos].start_offset && > ++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) { > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], > + hsk->data.data, hsk->data.length); > +- session->internals.handshake_recv_buffer[pos] > +- .start_offset = hsk->start_offset; > +- session->internals.handshake_recv_buffer[pos] > +- .end_offset = MIN( > +- hsk->end_offset, > +- session->internals.handshake_recv_buffer[pos] > +- .end_offset); > +- } else if (hsk->end_offset > > +- session->internals.handshake_recv_buffer[pos] > +- .end_offset && > +- hsk->start_offset <= > +- session->internals.handshake_recv_buffer[pos] > +- .end_offset + > +- 1) { > +- memcpy(&session->internals.handshake_recv_buffer[pos] > +- .data.data[hsk->start_offset], > ++ recv_buf[pos].start_offset = hsk->start_offset; > ++ recv_buf[pos].end_offset = > ++ MIN(hsk->end_offset, recv_buf[pos].end_offset); > ++ } else if (hsk->end_offset > recv_buf[pos].end_offset && > ++ hsk->start_offset <= recv_buf[pos].end_offset + 1) { > ++ memcpy(&recv_buf[pos].data.data[hsk->start_offset], > + hsk->data.data, hsk->data.length); > + > +- session->internals.handshake_recv_buffer[pos] > +- .end_offset = hsk->end_offset; > +- session->internals.handshake_recv_buffer[pos] > +- .start_offset = MIN( > +- hsk->start_offset, > +- session->internals.handshake_recv_buffer[pos] > +- .start_offset); > ++ recv_buf[pos].end_offset = hsk->end_offset; > ++ recv_buf[pos].start_offset = MIN( > ++ hsk->start_offset, recv_buf[pos].start_offset); > + } > + _gnutls_handshake_buffer_clear(hsk); > + } > +-- > +2.43.0 > + > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > new file mode 100644 > index 0000000000..e7d5cc6c2b > --- /dev/null > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-33846.patch > @@ -0,0 +1,67 @@ > +From 68e0c900c1111206fa4a135cdb43827f3b908284 Mon Sep 17 00:00:00 2001 > +From: Alexander Sosedkin <[email protected]> > +Date: Fri, 17 Apr 2026 18:21:36 +0200 > +Subject: [PATCH 2/2] buffers: add more checks to DTLS reassembly > + > +Previously, gnutls didn't check that DTLS fragments claimed > +a consistent message_length value. > +Additionally, a crucial array size check was missing, > +enabling an attacker to cause a heap overwrite. > +The updated version rejects fragments with mismatching length > +and adds a missing boundary check. > + > +Reported-by: Haruto Kimura (Stella) > +Reported-by: Oscar Reparaz > +Reported-by: Zou Dikai > +Fixes: #1816 > +Fixes: #1838 > +Fixes: #1839 > +Fixes: CVE-2026-33846 > +Fixes: GNUTLS-SA-2026-04-29-1 > +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H > +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > + > +CVE: CVE-2026-33846 > +Upstream-Status: Backport > [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78] > + > +Signed-off-by: Alexander Sosedkin <[email protected]> > +(cherry picked from commit 65ab33fa54e34fba69d793735b7df3d383d1ff78) > +Signed-off-by: Hugo SIMELIERE (Schneider Electric) > <[email protected]> > +--- > + lib/buffers.c | 20 ++++++++++++++++++++ > + 1 file changed, 20 insertions(+) > + > +diff --git a/lib/buffers.c b/lib/buffers.c > +index d54c77022..5d4d16276 100644 > +--- a/lib/buffers.c > ++++ b/lib/buffers.c > +@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t > session, > + _gnutls_handshake_buffer_move(&recv_buf[pos], hsk); > + > + } else { > ++ if (hsk->length != recv_buf[pos].length) { > ++ /* inconsistent across fragments */ > ++ _gnutls_handshake_buffer_clear(hsk); > ++ return gnutls_assert_val( > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > ++ } > ++ /* start_offset + data.length <= hsk->length <= max_length */ > ++ if (hsk->length < hsk->start_offset + hsk->data.length) { > ++ /* impossible claims, overflow requested */ > ++ _gnutls_handshake_buffer_clear(hsk); > ++ return gnutls_assert_val( > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > ++ } > ++ if (hsk->length > recv_buf[pos].data.max_length) { > ++ /* we don't have this much allocated, overflow guard */ > ++ _gnutls_handshake_buffer_clear(hsk); > ++ return gnutls_assert_val( > ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); > ++ } > ++ > + if (hsk->start_offset < recv_buf[pos].start_offset && > + hsk->end_offset + 1 >= recv_buf[pos].start_offset) { > + memcpy(&recv_buf[pos].data.data[hsk->start_offset], > +-- > +2.43.0 > + > diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb > b/meta/recipes-support/gnutls/gnutls_3.8.4.bb > index ccb6a2b4b2..e40a654a8e 100644 > --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb > +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb > @@ -43,6 +43,8 @@ SRC_URI = > "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar > file://CVE-2025-14831-7.patch \ > file://CVE-2025-14831-8.patch \ > file://CVE-2025-14831-9.patch \ > + file://CVE-2026-33846-pre.patch \ > + file://CVE-2026-33846.patch \ > " > > SRC_URI[sha256sum] = > "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238118): https://lists.openembedded.org/g/openembedded-core/message/238118 Mute This Topic: https://lists.openembedded.org/mt/119404633/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
