From 33181e3e8c7427fc823f750e936732b69e247987 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 27 Jul 2025 19:59:53 +0200 Subject: [PATCH] gnutls: patch read buffer overrun in the "pre_shared_key" extension Pick relevant commit from 3.8.10 release MR [1]. The ME contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...fer-overrun-in-the-pre_shared_key-ex.patch | 34 ++++++++++++++++++ .../5477db1bb507a35e8833c758ce344f4b5b246d8e | Bin 0 -> 111 bytes meta/recipes-support/gnutls/gnutls_3.7.4.bb | 5 ++- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch create mode 100644 meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e diff --git a/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch new file mode 100644 index 0000000000..ce78fe1c95 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch @@ -0,0 +1,34 @@ +From 208c6478d5c20b9d8a9f0a293e3808aa16ee091f Mon Sep 17 00:00:00 2001 +From: Andrew Hamilton +Date: Mon, 7 Jul 2025 10:31:55 +0900 +Subject: [PATCH] psk: fix read buffer overrun in the "pre_shared_key" + extension + +While processing the "pre_shared_key" extension in TLS 1.3, if there +are certain malformed data in the extension headers, then the code may +read uninitialized memory (2 bytes) beyond the received TLS extension +buffer. Spotted by oss-fuzz at: +https://issues.oss-fuzz.com/issues/42513990 + +Signed-off-by: Andrew Hamilton +Signed-off-by: Daiki Ueno + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/208c6478d5c20b9d8a9f0a293e3808aa16ee091f] +Signed-off-by: Peter Marko +--- + lib/ext/pre_shared_key.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c +index 51c4891d5..2cb83e670 100644 +--- a/lib/ext/pre_shared_key.c ++++ b/lib/ext/pre_shared_key.c +@@ -839,6 +839,8 @@ static int _gnutls_psk_recv_params(gnutls_session_t session, + + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if (session->internals.hsk_flags & HSK_PSK_KE_MODES_SENT) { ++ DECR_LEN(len, 2); ++ + uint16_t selected_identity = _gnutls_read_uint16(data); + + for (i=0;ikey.binders)/sizeof(session->key.binders[0]);i++) { diff --git a/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e b/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e new file mode 100644 index 0000000000000000000000000000000000000000..009d44c394fd08c5400fb63f837e468f1738522d GIT binary patch literal 111 zc-j+VR$$0tVqi#PW>$cL|3C-_{}F5f1vDVc!oZ-%pv}O<%%Y&cpnw5DdjBH~V9;b> F001Hn6Z-%F literal 0 Hc-jL100001 diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 48ddb269de..4929e44db3 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -31,6 +31,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2024-12243.patch \ file://CVE-2025-32989.patch \ file://04939b75417cc95b7372c6f208c4bda4579bdc34 \ + file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \ + file://5477db1bb507a35e8833c758ce344f4b5b246d8e \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" @@ -69,8 +71,9 @@ do_configure:prepend() { done # binary files cannot be delivered as diff - mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ + mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ + cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ } PACKAGES =+ "${PN}-openssl ${PN}-xx" -- 2.47.2