From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>
Pick patch from [1] as mentioned in Debian report in [2]. [1] https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701 [2] https://security-tracker.debian.org/tracker/CVE-2026-42014 Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> Reviewed-by: Bruno VERNAY <[email protected]> --- .../gnutls/gnutls/CVE-2026-42014.patch | 67 +++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch new file mode 100644 index 0000000000..ceaf05bf1e --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2026-42014.patch @@ -0,0 +1,67 @@ +From b48f025e58763f3975e5d65d698df27a5211bc51 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <[email protected]> +Date: Wed, 18 Mar 2026 18:19:06 +0100 +Subject: [PATCH] pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin + +Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with +oldpin == NULL for a token that lacks a protected authentication path +led to a use-after-free. + +Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team +Fixes: #1766 +Fixes: #1809 +Fixes: CVE-2026-42014 +Fixes: GNUTLS-SA-2026-04-29-9 +CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + +CVE: CVE-2026-42014 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/3957f136e2ed23caf176a594b54b3827f5cef701] + +Signed-off-by: Alexander Sosedkin <[email protected]> +(cherry picked from commit 3957f136e2ed23caf176a594b54b3827f5cef701) +Signed-off-by: Hugo SIMELIERE (Schneider Electric) <[email protected]> +--- + lib/pkcs11_write.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c +index 961e1b9d8..9fe571ea2 100644 +--- a/lib/pkcs11_write.c ++++ b/lib/pkcs11_write.c +@@ -1267,10 +1267,9 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + ses_flags = SESSION_WRITE | SESSION_LOGIN; + + ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags); +- p11_kit_uri_free(info); +- + if (ret < 0) { + gnutls_assert(); ++ p11_kit_uri_free(info); + return ret; + } + +@@ -1291,9 +1290,11 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + oldpin_size = L(oldpin); + + if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) { +- if (newpin == NULL) +- return gnutls_assert_val( ++ if (newpin == NULL) { ++ ret = gnutls_assert_val( + GNUTLS_E_INVALID_REQUEST); ++ goto finish; ++ } + + if (oldpin == NULL) { + struct pin_info_st pin_info; +@@ -1325,6 +1326,7 @@ int gnutls_pkcs11_token_set_pin(const char *token_url, const char *oldpin, + ret = 0; + + finish: ++ p11_kit_uri_free(info); + pkcs11_close_session(&sinfo); + return ret; + } +-- +2.43.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 20946c1030..dc8e28c99b 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb @@ -49,6 +49,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2026-33845.patch \ file://CVE-2026-3833.patch \ file://CVE-2026-42015.patch \ + file://CVE-2026-42014.patch \ " SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237397): https://lists.openembedded.org/g/openembedded-core/message/237397 Mute This Topic: https://lists.openembedded.org/mt/119404643/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
