From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>
Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca [2] https://security-tracker.debian.org/tracker/CVE-2026-42015 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> Reviewed-by: Bruno VERNAY <[email protected]> --- .../gnutls/gnutls/CVE-2026-42015.patch | 50 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch new file mode 100644 index 0000000000..dfc3506ccc --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42015.patch @@ -0,0 +1,50 @@ +From 264da2a72033ed8890105231e5d36263d403ca60 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <[email protected]> +Date: Mon, 20 Apr 2026 22:42:20 +0200 +Subject: [PATCH] x509/pkcs12_bag: fix off-by-one in bag element bounds check + +Appending elements to a PKCS#12 bag had a bounds check that +prevented adding the 32nd element. +On the other hand, it is possible to import one that already has 32. +Subsequent appending then led to writing past the 32-element array, +smashing its length. + +Tighten the check to reject any bag with 32 or more elements. + +We'll treat this vulnerability as a Low due to how contrived +the requirements are: for the code to be vulnerable, +it needs to append to an imported untrusted unencrypted PKCS#12 structure. + +Reported-by: Zou Dikai +Fixes: #1840 +Fixes: CVE-2026-42015 +Fixes: GNUTLS-SA-2026-04-29-11 +CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H +Severity: Low + +CVE: CVE-2026-42015 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca] + +Signed-off-by: Alexander Sosedkin <[email protected]> +(cherry picked from commit a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + lib/x509/pkcs12_bag.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c +index 911aeff93..38228613c 100644 +--- a/lib/x509/pkcs12_bag.c ++++ b/lib/x509/pkcs12_bag.c +@@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pkcs12_bag_t bag, + return GNUTLS_E_INVALID_REQUEST; + } + +- if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { ++ if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) { + gnutls_assert(); + /* bag is full */ + return GNUTLS_E_MEMORY_ERROR; +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 69f90a3c01..20946c1030 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -48,6 +48,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-33845-pre.patch \ file://CVE-2026-33845.patch \ file://CVE-2026-3833.patch \ + file://CVE-2026-42015.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237395): https://lists.openembedded.org/g/openembedded-core/message/237395 Mute This Topic: https://lists.openembedded.org/mt/119404641/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
