gnutls: patch reject zero-length version in certificate request

Pick relevant commit from 3.8.10 release MR [1]. The MR contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 990bd6fab5c6004b9fbcdb9c76bcb3a96ba5887a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-27 19:59:54 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 06:40:00 -0700
commit: 37cd90079b4494d63c182537a9b77597aae0bb45 (patch)
tree: aaf8147efe98ab25dea740d0f857ff41d0f1a50a
parent: 5e3b686673a0e45f6efd950146d36152ef5b8c0d (diff)
download: poky-37cd90079b4494d63c182537a9b77597aae0bb45.tar.gz
3 files changed, 41 insertions, 1 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
new file mode 100644
index 0000000000..6351bf4559
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
@@ -0,0 +1,37 @@
+From 61c0505634a6faacf9fa0723843408aa0d3fb90a Mon Sep 17 00:00:00 2001
+From: Andrew Hamilton <adhamilt@gmail.com>
+Date: Mon, 7 Jul 2025 10:35:54 +0900
+Subject: [PATCH] x509: reject zero-length version in certificate request
+Ensure zero size asn1 values are considered invalid in
+gnutls_x509_crq_get_version, this ensures crq version is not used
+uninitialized. Spotted by oss-fuzz at:
+https://issues.oss-fuzz.com/issues/42536706
+Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/61c0505634a6faacf9fa0723843408aa0d3fb90a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/x509/crq.c                                    |   7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/lib/x509/crq.c b/lib/x509/crq.c
+index 19e13623c..9e9801d2b 100644
+--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
+@@ -635,6 +635,13 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq)
+                return _gnutls_asn2err(result);
+        }
+ 
+       /* Note that asn1_read_value can return success with */
+       /* len set to zero (without setting the data) in some */
+       /* conditions. */
+       if (unlikely(len <= 0)) {
+               return gnutls_assert_val(GNUTLS_E_ASN1_VALUE_NOT_VALID);
+       }
+
+        return (int) version[0] + 1;
+ }
+ 
diff --git a/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
new file mode 100644
index 0000000000..23ff09c4be
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
Binary files differ
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 4929e44db3..65e42c00c2 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -33,6 +33,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://04939b75417cc95b7372c6f208c4bda4579bdc34 \
           file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \
           file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
+           file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
+           file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
@@ -71,9 +73,10 @@ do_configure:prepend() {
        done
    # binary files cannot be delivered as diff
-    mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
+    mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/
    cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/
    cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
+    cp ${WORKDIR}/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/
 }
 PACKAGES =+ "${PN}-openssl ${PN}-xx"
author	Peter Marko <peter.marko@siemens.com>	2025-07-27 19:59:54 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 06:40:00 -0700
commit	37cd90079b4494d63c182537a9b77597aae0bb45 (patch)
tree	aaf8147efe98ab25dea740d0f857ff41d0f1a50a
parent	5e3b686673a0e45f6efd950146d36152ef5b8c0d (diff)
download	poky-37cd90079b4494d63c182537a9b77597aae0bb45.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch new file mode 100644 index 0000000000..6351bf4559 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
@@ -0,0 +1,37 @@
		1	From 61c0505634a6faacf9fa0723843408aa0d3fb90a Mon Sep 17 00:00:00 2001
		2	From: Andrew Hamilton <adhamilt@gmail.com>
		3	Date: Mon, 7 Jul 2025 10:35:54 +0900
		4	Subject: [PATCH] x509: reject zero-length version in certificate request
		5
		6	Ensure zero size asn1 values are considered invalid in
		7	gnutls_x509_crq_get_version, this ensures crq version is not used
		8	uninitialized. Spotted by oss-fuzz at:
		9	https://issues.oss-fuzz.com/issues/42536706
		10
		11	Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
		12	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		13
		14	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/61c0505634a6faacf9fa0723843408aa0d3fb90a]
		15	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		16	---
		17	lib/x509/crq.c \| 7 +++++++
		18	1 file changed, 7 insertions(+)
		19
		20	diff --git a/lib/x509/crq.c b/lib/x509/crq.c
		21	index 19e13623c..9e9801d2b 100644
		22	--- a/lib/x509/crq.c
		23	+++ b/lib/x509/crq.c
		24	@@ -635,6 +635,13 @@ int gnutls_x509_crq_get_version(gnutls_x509_crq_t crq)
		25	return _gnutls_asn2err(result);
		26	}
		27
		28	+ /* Note that asn1_read_value can return success with */
		29	+ /* len set to zero (without setting the data) in some */
		30	+ /* conditions. */
		31	+ if (unlikely(len <= 0)) {
		32	+ return gnutls_assert_val(GNUTLS_E_ASN1_VALUE_NOT_VALID);
		33	+ }
		34	+
		35	return (int) version[0] + 1;
		36	}
		37


diff --git a/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 new file mode 100644 index 0000000000..23ff09c4be --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
Binary files differ


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 4929e44db3..65e42c00c2 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -33,6 +33,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
33	file://04939b75417cc95b7372c6f208c4bda4579bdc34 \	33	file://04939b75417cc95b7372c6f208c4bda4579bdc34 \
34	file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \	34	file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \
35	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \	35	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
		36	file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
		37	file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
36	"	38	"
37		39
38	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	40	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
@@ -71,9 +73,10 @@ do_configure:prepend() {
71	done	73	done
72		74
73	# binary files cannot be delivered as diff	75	# binary files cannot be delivered as diff
74	mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/	76	mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/ ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/
75	cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/	77	cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/
76	cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/	78	cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
		79	cp ${WORKDIR}/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 ${S}/fuzz/gnutls_x509_crq_parser_fuzzer.repro/
77	}	80	}
78		81
79	PACKAGES =+ "${PN}-openssl ${PN}-xx"	82	PACKAGES =+ "${PN}-openssl ${PN}-xx"