From: Peter Marko Date: Sun, 27 Jul 2025 17:59:52 +0000 (+0200) Subject: gnutls: patch CVE-2025-32989 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbe5f828c63071962d571a8787298aa5fd78ebe8;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git gnutls: patch CVE-2025-32989 Pick relevant commit from 3.8.10 release MR [1]. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34 b/meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34 new file mode 100644 index 0000000000..ffcfe23e99 Binary files /dev/null and b/meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34 differ diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch new file mode 100644 index 0000000000..c21fc6e969 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch @@ -0,0 +1,50 @@ +From 8e5ca951257202089246fa37e93a99d210ee5ca2 Mon Sep 17 00:00:00 2001 +From: Andrew Hamilton +Date: Mon, 7 Jul 2025 10:23:59 +0900 +Subject: [PATCH] x509: fix read buffer overrun in SCT timestamps + +Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct +when processing x509 Signed Certificate Timestamps with certain +malformed data. Spotted by oss-fuzz at: +https://issues.oss-fuzz.com/issues/42530513 + +Signed-off-by: Andrew Hamilton +Signed-off-by: Daiki Ueno + +CVE: CVE-2025-32989 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/8e5ca951257202089246fa37e93a99d210ee5ca2] +Signed-off-by: Peter Marko +--- + NEWS | 5 +++++ + lib/x509/x509_ext.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 85efb5680..025e05148 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,11 @@ Copyright (C) 2000-2016 Free Software Foundation, Inc. + Copyright (C) 2013-2019 Nikos Mavrogiannopoulos + See the end for copying conditions. + ++** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps ++ Spotted by oss-fuzz and reported by OpenAI Security Research Team, ++ and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, ++ CVSS: medium] [CVE-2025-32989] ++ + * Version 3.7.4 (released 2022-03-17) + + ** libgnutls: Fixed double free during verification of pkcs7 signatures. +diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c +index 064ca8357..05336a0c2 100644 +--- a/lib/x509/x509_ext.c ++++ b/lib/x509/x509_ext.c +@@ -3855,7 +3855,7 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext, gnutls_x509_ct_sct + } + + length = _gnutls_read_uint16(scts_content.data); +- if (length < 4) { ++ if (length < 4 || length > scts_content.size) { + gnutls_free(scts_content.data); + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + } diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 5cd85c5996..48ddb269de 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -29,6 +29,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2024-28834.patch \ file://CVE-2024-28835.patch \ file://CVE-2024-12243.patch \ + file://CVE-2025-32989.patch \ + file://04939b75417cc95b7372c6f208c4bda4579bdc34 \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" @@ -65,6 +67,10 @@ do_configure:prepend() { for dir in . lib; do rm -f ${dir}/aclocal.m4 ${dir}/m4/libtool.m4 ${dir}/m4/lt*.m4 done + + # binary files cannot be delivered as diff + mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ + cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ } PACKAGES =+ "${PN}-openssl ${PN}-xx"