From: Sudhir Dumbhare <[email protected]> This patch applies the upstream fix [1] and test coverage [2], as referenced in [3], to address an OCSP multi-record response flaw where GnuTLS could check the status from the wrong response entry and incorrectly accept a revoked server certificate.
[1] https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2 [2] https://gitlab.com/gnutls/gnutls/-/commit/d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e [3] https://security-tracker.debian.org/tracker/CVE-2026-3832 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3832 Signed-off-by: Sudhir Dumbhare <[email protected]> --- .../gnutls/gnutls/CVE-2026-3832_p1.patch | 52 ++++++++ .../gnutls/gnutls/CVE-2026-3832_p2.patch | 114 ++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.12.bb | 2 + 3 files changed, 168 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p1.patch create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p2.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p1.patch new file mode 100644 index 0000000000..3786c578b9 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p1.patch @@ -0,0 +1,52 @@ +From 141c9b6015fc56cd05db3a853f08d03fcbd9b0f4 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <[email protected]> +Date: Thu, 12 Mar 2026 09:48:57 +0100 +Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass + +In check_ocsp_response(), the code first searched +for the SingleResponse that matches the certificate being validated. +But later, the status was retrieved from entry 0 unconditionally, +rather than from the matched resp_indx. +As a result, if entry 0 corresponded to a different certificate and was good, +while the matched entry for the peer certificate is revoked, +the revocation check could've mistakenly accept the certificate. + +Reported-by: Oleh Konko (1seal) <[email protected]> +Reported-by: Joshua Rogers of AISLE Research Team <[email protected]> +Fixes: #1801 +Fixes: #1812 +Fixes: CVE-2026-3832 +Fixes: GNUTLS-SA-2026-04-29-12 +CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N +Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9 + +CVE: CVE-2026-3832 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2] + +Signed-off-by: Alexander Sosedkin <[email protected]> +(cherry picked from commit 731861b9de8dccaf7d3b0c1446833051e48670c2) +Signed-off-by: Sudhir Dumbhare <[email protected]> +--- + lib/cert-session.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/cert-session.c b/lib/cert-session.c +index 963f797ee..f48c7a1fb 100644 +--- a/lib/cert-session.c ++++ b/lib/cert-session.c +@@ -343,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, + goto cleanup; + } + +- ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, +- &cert_status, &vtime, &ntime, &rtime, +- NULL); ++ ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL, ++ NULL, &cert_status, &vtime, &ntime, ++ &rtime, NULL); + if (ret < 0) { + _gnutls_audit_log( + session, +-- +2.51.0 + diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p2.patch new file mode 100644 index 0000000000..54ea38fe69 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3832_p2.patch @@ -0,0 +1,114 @@ +From ac357f76abeaf59429bc15b8764ad01920df0ef1 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <[email protected]> +Date: Thu, 12 Mar 2026 15:25:24 +0100 +Subject: [PATCH] tests/ocsp-tests/ocsp-must-staple-connection: test + CVE-2026-3832 + +CVE: CVE-2026-3832 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e] + +Signed-off-by: Alexander Sosedkin <[email protected]> +(cherry picked from commit d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e) +Signed-off-by: Sudhir Dumbhare <[email protected]> +--- + .../ocsp-tests/ocsp-must-staple-connection.sh | 70 +++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh +index 94d41ce24..5e100b9d9 100755 +--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh ++++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh +@@ -85,6 +85,7 @@ OCSP_RESPONSE_FILE="$testdir/ms-resp.tmp" + OCSP_REQ_FILE="$testdir/ms-req.tmp" + INDEXFILE="$testdir/ocsp_index.txt" + ATTRFILE="${INDEXFILE}.attr" ++SERVER_CERT_BAD_FILE="$testdir/ms-cert-bad.pem.tmp" + + stop_servers () + { +@@ -118,6 +119,20 @@ ${CERTTOOL} \ + --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \ + --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null + ++echo "=== Generating bad server certificate ===" ++ ++rm -f "$TEMPLATE_FILE" ++cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE" ++chmod u+w "$TEMPLATE_FILE" ++echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE" ++ ++${CERTTOOL} \ ++ --attime "${CERTDATE}" \ ++ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \ ++ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \ ++ --load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \ ++ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_BAD_FILE}" 2>/dev/null ++ + echo "=== Bringing OCSP server up ===" + + cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt" ${INDEXFILE} +@@ -486,6 +501,61 @@ kill "${TLS_SERVER_PID}" + wait "${TLS_SERVER_PID}" + unset TLS_SERVER_PID + ++echo "=== Test 10: Server with revoked certificate - CVE-2026-3832 ===" ++ ++# The revocation status was always mistakenly checked for the first cert. ++# Check a pair of responses: (irrelevant good unrevoked, relevant bad revoked). ++ ++rm -f "${OCSP_RESPONSE_FILE}" ++ ++"$FAKETIME" "${TESTDATE}" \ ++ ${OPENSSL} ocsp -index "${INDEXFILE}" \ ++ -issuer "${srcdir}/ocsp-tests/certs/ca.pem" \ ++ -CA "${srcdir}/ocsp-tests/certs/ca.pem" \ ++ -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \ ++ -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \ ++ -cert "${SERVER_CERT_FILE}" \ ++ -cert "${SERVER_CERT_BAD_FILE}" \ ++ -respout "${OCSP_RESPONSE_FILE}" ++ ++eval "${GETPORT}" ++# Port for gnutls-serv ++TLS_SERVER_PORT=$PORT ++PORT=${TLS_SERVER_PORT} ++launch_bare_server \ ++ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \ ++ --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \ ++ --x509certfile="${SERVER_CERT_BAD_FILE}" \ ++ --port="${TLS_SERVER_PORT}" \ ++ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors ++TLS_SERVER_PID="${!}" ++wait_server $TLS_SERVER_PID ++ ++wait_for_port "${TLS_SERVER_PORT}" ++ ++out=$( ++ echo "test 123456" | \ ++ "${CLI}" -d1 --attime "${TESTDATE}" --ocsp \ ++ --x509cafile "${srcdir}/ocsp-tests/certs/ca.pem" \ ++ --port "${TLS_SERVER_PORT}" localhost \ ++ 2>&1 ++ rc=$? ++) ++printf '%s\n' "$out" ++ ++if test "${rc}" = "0"; then ++ echo 'ERROR: client accepted a revoked leaf (CVE-2026-3832)' ++ exit 1 ++fi ++if ! echo "${out}" | grep "The certificate was revoked via OCSP" >/dev/null ++then ++ echo '"The certificate was revoked via OCSP" not found in output' ++ exit 1 ++fi ++ ++kill "${TLS_SERVER_PID}" ++wait "${TLS_SERVER_PID}" ++unset TLS_SERVER_PID + + kill ${OCSP_PID} + wait ${OCSP_PID} +-- +2.51.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.12.bb b/meta/recipes-support/gnutls/gnutls_3.8.12.bb index 8554ab943d..c6cbc9f46c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.12.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.12.bb @@ -24,6 +24,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://run-ptest \ file://Add-ptest-support.patch \ file://c99.patch \ + file://CVE-2026-3832_p1.patch \ + file://CVE-2026-3832_p2.patch \ " SRC_URI[sha256sum] = "a7b341421bfd459acf7a374ca4af3b9e06608dcd7bd792b2bf470bea012b8e51" -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240625): https://lists.openembedded.org/g/openembedded-core/message/240625 Mute This Topic: https://lists.openembedded.org/mt/120204085/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
