gnutls: patch read buffer overrun in the "pre_shared_key" extension

Pick relevant commit from 3.8.10 release MR [1]. The ME contains referece to undiscoled issue, so any security relevant patch should be picked. Binary test file was added as separate file as binary diffs are not supported. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 33181e3e8c7427fc823f750e936732b69e247987) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-27 19:59:53 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 06:40:00 -0700
commit: 5e3b686673a0e45f6efd950146d36152ef5b8c0d (patch)
tree: d5d1319f639495d113e9bb211ec60dec93e3e7f6
parent: 9c136548279504f2e458b59f5cdb347c464e6de5 (diff)
download: poky-5e3b686673a0e45f6efd950146d36152ef5b8c0d.tar.gz
3 files changed, 38 insertions, 1 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
new file mode 100644
index 0000000000..ce78fe1c95
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
@@ -0,0 +1,34 @@
+From 208c6478d5c20b9d8a9f0a293e3808aa16ee091f Mon Sep 17 00:00:00 2001
+From: Andrew Hamilton <adhamilt@gmail.com>
+Date: Mon, 7 Jul 2025 10:31:55 +0900
+Subject: [PATCH] psk: fix read buffer overrun in the "pre_shared_key"
+ extension
+While processing the "pre_shared_key" extension in TLS 1.3, if there
+are certain malformed data in the extension headers, then the code may
+read uninitialized memory (2 bytes) beyond the received TLS extension
+buffer. Spotted by oss-fuzz at:
+https://issues.oss-fuzz.com/issues/42513990
+Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/208c6478d5c20b9d8a9f0a293e3808aa16ee091f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/ext/pre_shared_key.c                          |   2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
+index 51c4891d5..2cb83e670 100644
+--- a/lib/ext/pre_shared_key.c
+++ b/lib/ext/pre_shared_key.c
+@@ -839,6 +839,8 @@ static int _gnutls_psk_recv_params(gnutls_session_t session,
+ 
+        if (session->security_parameters.entity == GNUTLS_CLIENT) {
+                if (session->internals.hsk_flags & HSK_PSK_KE_MODES_SENT) {
+                       DECR_LEN(len, 2);
+
+                        uint16_t selected_identity = _gnutls_read_uint16(data);
+ 
+                        for (i=0;i<sizeof(session->key.binders)/sizeof(session->key.binders[0]);i++) {
diff --git a/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e b/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
new file mode 100644
index 0000000000..009d44c394
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
Binary files differ
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 48ddb269de..4929e44db3 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://CVE-2024-12243.patch \
           file://CVE-2025-32989.patch \
           file://04939b75417cc95b7372c6f208c4bda4579bdc34 \
+           file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \
+           file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
@@ -69,8 +71,9 @@ do_configure:prepend() {
        done
    # binary files cannot be delivered as diff
-    mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/
+    mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
    cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/
+    cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
 }
 PACKAGES =+ "${PN}-openssl ${PN}-xx"
author	Peter Marko <peter.marko@siemens.com>	2025-07-27 19:59:53 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 06:40:00 -0700
commit	5e3b686673a0e45f6efd950146d36152ef5b8c0d (patch)
tree	d5d1319f639495d113e9bb211ec60dec93e3e7f6
parent	9c136548279504f2e458b59f5cdb347c464e6de5 (diff)
download	poky-5e3b686673a0e45f6efd950146d36152ef5b8c0d.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch new file mode 100644 index 0000000000..ce78fe1c95 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
@@ -0,0 +1,34 @@
		1	From 208c6478d5c20b9d8a9f0a293e3808aa16ee091f Mon Sep 17 00:00:00 2001
		2	From: Andrew Hamilton <adhamilt@gmail.com>
		3	Date: Mon, 7 Jul 2025 10:31:55 +0900
		4	Subject: [PATCH] psk: fix read buffer overrun in the "pre_shared_key"
		5	extension
		6
		7	While processing the "pre_shared_key" extension in TLS 1.3, if there
		8	are certain malformed data in the extension headers, then the code may
		9	read uninitialized memory (2 bytes) beyond the received TLS extension
		10	buffer. Spotted by oss-fuzz at:
		11	https://issues.oss-fuzz.com/issues/42513990
		12
		13	Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
		14	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		15
		16	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/208c6478d5c20b9d8a9f0a293e3808aa16ee091f]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	lib/ext/pre_shared_key.c \| 2 ++
		20	1 file changed, 2 insertions(+)
		21
		22	diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c
		23	index 51c4891d5..2cb83e670 100644
		24	--- a/lib/ext/pre_shared_key.c
		25	+++ b/lib/ext/pre_shared_key.c
		26	@@ -839,6 +839,8 @@ static int _gnutls_psk_recv_params(gnutls_session_t session,
		27
		28	if (session->security_parameters.entity == GNUTLS_CLIENT) {
		29	if (session->internals.hsk_flags & HSK_PSK_KE_MODES_SENT) {
		30	+ DECR_LEN(len, 2);
		31	+
		32	uint16_t selected_identity = _gnutls_read_uint16(data);
		33
		34	for (i=0;i<sizeof(session->key.binders)/sizeof(session->key.binders[0]);i++) {


diff --git a/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e b/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e new file mode 100644 index 0000000000..009d44c394 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
Binary files differ


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 48ddb269de..4929e44db3 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
31	file://CVE-2024-12243.patch \	31	file://CVE-2024-12243.patch \
32	file://CVE-2025-32989.patch \	32	file://CVE-2025-32989.patch \
33	file://04939b75417cc95b7372c6f208c4bda4579bdc34 \	33	file://04939b75417cc95b7372c6f208c4bda4579bdc34 \
		34	file://0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch \
		35	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
34	"	36	"
35		37
36	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	38	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
@@ -69,8 +71,9 @@ do_configure:prepend() {
69	done	71	done
70		72
71	# binary files cannot be delivered as diff	73	# binary files cannot be delivered as diff
72	mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/	74	mkdir -p ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/ ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
73	cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/	75	cp ${WORKDIR}/04939b75417cc95b7372c6f208c4bda4579bdc34 ${S}/fuzz/gnutls_x509_parser_fuzzer.repro/
		76	cp ${WORKDIR}/5477db1bb507a35e8833c758ce344f4b5b246d8e ${S}/fuzz/gnutls_psk_client_fuzzer.repro/
74	}	77	}
75		78
76	PACKAGES =+ "${PN}-openssl ${PN}-xx"	79	PACKAGES =+ "${PN}-openssl ${PN}-xx"