[OE-core][scarthgap][PATCH 3/7] gnutls: Fix CVE-2026-3833

Wed, 20 May 2026 01:14:55 -0700 

From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>

Pick patch from [1] as mentioned in Debian report in [2].

[1] 
https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5
[2] https://security-tracker.debian.org/tracker/CVE-2026-3833

Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
<[email protected]>
Reviewed-by: Bruno VERNAY <[email protected]>
---
 .../gnutls/gnutls/CVE-2026-3833.patch         | 94 +++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
new file mode 100644
index 0000000000..cca4ff86f8
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-3833.patch
@@ -0,0 +1,94 @@
+From 2e8c3569d125d188b293d132c040201aae6ceb16 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <[email protected]>
+Date: Mon, 16 Mar 2026 15:29:40 +0100
+Subject: [PATCH] x509/name-constraints: compare domain names case-insensitive
+
+RFC 5280 7.2:
+> When comparing DNS names for equality, conforming implementations
+> MUST perform a case-insensitive exact match on the entire DNS name.
+> When evaluating name constraints, conforming implementations MUST
+> perform a case-insensitive exact match on a label-by-label basis.
+
+Domain name comparison during name constraints processing
+was case-sensitive. For excluded name constraints, this could lead to
+incorrectly accepting domain names that should've been rejected.
+The code for comparing domain names and domain name parts of emails
+has been modified to perform case-insensitive comparison instead.
+
+Reported-by: Oleh Konko <[email protected]>
+Reported-by: Joshua Rogers of AISLE Research Team <[email protected]>
+Fixes: #1223
+Fixes: #1803
+Fixes: #1852
+Fixes: CVE-2026-3833
+Fixes: GNUTLS-SA-2026-04-29-5
+
+CVE: CVE-2026-3833
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/19f6508647bdcd3ce21130201e484d7ca6d962c5]
+
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
+Signed-off-by: Alexander Sosedkin <[email protected]>
+(cherry picked from commit 19f6508647bdcd3ce21130201e484d7ca6d962c5)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
<[email protected]>
+---
+ lib/x509/name_constraints.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 04722bdf4..dee045d25 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -35,6 +35,7 @@
+ #include "x509_int.h"
+ #include "x509_ext_int.h"
+ #include <libtasn1.h>
++#include "c-strcase.h"
+ 
+ #include "ip.h"
+ #include "ip-in-cidr.h"
+@@ -80,7 +81,7 @@ enum name_constraint_relation {
+       NC_SORTS_AFTER = 2 /* unrelated constraints */
+ };
+ 
+-/* A helper to compare just a pair of strings with this rich comparison */
++/* Helpers to compare just a pair of strings with this rich comparison */
+ static enum name_constraint_relation
+ compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
+ {
+@@ -96,6 +97,22 @@ compare_strings(const void *n1, size_t n1_len, const void 
*n2, size_t n2_len)
+       return NC_EQUAL;
+ }
+ 
++static enum name_constraint_relation
++compare_strings_case_insensitive(const void *n1, size_t n1_len, const void 
*n2,
++                               size_t n2_len)
++{
++      int r = c_strncasecmp(n1, n2, MIN(n1_len, n2_len));
++      if (r < 0)
++              return NC_SORTS_BEFORE;
++      if (r > 0)
++              return NC_SORTS_AFTER;
++      if (n1_len < n2_len)
++              return NC_SORTS_BEFORE;
++      if (n1_len > n2_len)
++              return NC_SORTS_AFTER;
++      return NC_EQUAL;
++}
++
+ /* Rich-compare DNS names. Example order/relationships:
+  * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
+ static enum name_constraint_relation compare_dns_names(const gnutls_datum_t 
*n1,
+@@ -121,8 +138,8 @@ static enum name_constraint_relation 
compare_dns_names(const gnutls_datum_t *n1,
+               while (j && n2->data[j - 1] != '.')
+                       j--;
+ 
+-              rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
+-                                    j_end - j);
++              rel = compare_strings_case_insensitive(&n1->data[i], i_end - i,
++                                                     &n2->data[j], j_end - j);
+               if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
+                       return NC_SORTS_BEFORE;
+               if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
+-- 
+2.43.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb 
b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 702a83fc85..69f90a3c01 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -47,6 +47,7 @@ SRC_URI = 
"https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2026-33846.patch \
            file://CVE-2026-33845-pre.patch \
            file://CVE-2026-33845.patch \
+           file://CVE-2026-3833.patch \
            "
 
 SRC_URI[sha256sum] = 
"2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237393): 
https://lists.openembedded.org/g/openembedded-core/message/237393
Mute This Topic: https://lists.openembedded.org/mt/119404638/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to