From: Peter Marko Date: Sun, 27 Jul 2025 17:59:54 +0000 (+0200) Subject: gnutls: patch reject zero-length version in certificate request X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=990bd6fab5c6004b9fbcdb9c76bcb3a96ba5887a;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git gnutls: patch reject zero-length version in certificate request Pick relevant commit from 3.8.10 release MR [1]. The MR contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch new file mode 100644 index 0000000000..6351bf4559 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch @@ -0,0 +1,37 @@ +From 61c0505634a6faacf9fa0723843408aa0d3fb90a Mon Sep 17 00:00:00 2001 +From: Andrew Hamilton +Date: Mon, 7 Jul 2025 10:35:54 +0900 +Subject: [PATCH] x509: reject zero-length version in certificate request + +Ensure zero size asn1 values are considered invalid in +gnutls_x509_crq_get_version, this ensures crq version is not used +uninitialized. Spotted by oss-fuzz at: +https://issues.oss-fuzz.com/issues/42536706 + +Signed-off-by: Andrew Hamilton +Signed-off-by: Daiki Ueno + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/61c0505634a6faacf9fa0723843408aa0d3fb90a] +Signed-off-by: Peter Marko +--- + lib/x509/crq.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/lib/x509/crq.c b/lib/x509/crq.c +index 19e13623c..9e9801d2b 100644 +--- a/lib/x509/crq.c ++++ b/lib/x509/crq.c +@@ -635,6 +635,13 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq) + return _gnutls_asn2err(result); + } + ++ /* Note that asn1_read_value can return success with */ ++ /* len set to zero (without setting the data) in some */ ++ /* conditions. */ ++ if (unlikely(len <= 0)) { ++ return gnutls_assert_val(GNUTLS_E_ASN1_VALUE_NOT_VALID); ++ } ++ + return (int) version[0] + 1; + } + diff --git a/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 new file mode 100644 index 0000000000..23ff09c4be Binary files /dev/null and b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 differ diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 4929e44db3..65e42c00c2 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -33,6 +33,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://04939b75417cc95b7372c6f208c4bda4579bdc34 \ file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \ file://5477db1bb507a35e8833c758ce344f4b5b246d8e \ + file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \ + file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" @@ -71,9 +73,10 @@ do_configure:prepend() { done # binary files cannot be delivered as diff - mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ + mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/ cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ + cp ${WORKDIR}/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/ } PACKAGES =+ "${PN}-openssl ${PN}-xx"