gnutls: patch CVE-2025-32988

Pick relevant commit from 3.8.10 release MR [1]. [1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979 (From OE-Core rev: 2838dae57a1236d4f6eb97e32eb500892ba67184) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-07-27 19:49:17 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-08-04 07:55:06 -0700
commit: f5aab3822719eee58e39c9ae658425e60b30d1e8 (patch)
tree: bc5cf10461ba19882554c1c5038698b424e29639
parent: bee76dfe7eb0722f3433393b9ae04f1db4977c37 (diff)
download: poky-f5aab3822719eee58e39c9ae658425e60b30d1e8.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
new file mode 100644
index 0000000000..007dfb2309
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
@@ -0,0 +1,58 @@
+From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 7 Jul 2025 10:44:12 +0900
+Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
+Previously, the _gnutls_write_new_othername function, called by
+gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
+certificate's SAN extension, freed the caller allocated ASN.1
+structure upon error, resulting in a potential double-free.
+Reported by OpenAI Security Research Team.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+CVE: CVE-2025-32988
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS                  | 5 +++++
+ lib/x509/extensions.c | 2 --
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/NEWS b/NEWS
+index 025e05148..ff289fa75 100644
+--- a/NEWS
+++ b/NEWS
+@@ -10,6 +10,11 @@ See the end for copying conditions.
+    and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
+    CVSS: medium] [CVE-2025-32989]
+ 
+** libgnutls: Fix double-free upon error when exporting otherName in SAN
+   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
+   CVSS: low] [CVE-2025-32988]
+
+
+ * Version 3.8.4 (released 2024-03-18)
+ 
+ ** libgnutls: RSA-OAEP encryption scheme is now supported
+diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
+index 6c2da8fd1..e8be12eaf 100644
+--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
+@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+        result = asn1_write_value(ext, name2, oid, 1);
+        if (result != ASN1_SUCCESS) {
+                gnutls_assert();
+-               asn1_delete_structure(&ext);
+                return _gnutls_asn2err(result);
+        }
+ 
+@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+        result = asn1_write_value(ext, name2, data, data_size);
+        if (result != ASN1_SUCCESS) {
+                gnutls_assert();
+-               asn1_delete_structure(&ext);
+                return _gnutls_asn2err(result);
+        }
+ 
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 2a73a1e3d8..9644f3c50e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
           file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
           file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
+           file://CVE-2025-32988.patch \
           "
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"
author	Peter Marko <peter.marko@siemens.com>	2025-07-27 19:49:17 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-08-04 07:55:06 -0700
commit	f5aab3822719eee58e39c9ae658425e60b30d1e8 (patch)
tree	bc5cf10461ba19882554c1c5038698b424e29639
parent	bee76dfe7eb0722f3433393b9ae04f1db4977c37 (diff)
download	poky-f5aab3822719eee58e39c9ae658425e60b30d1e8.tar.gz

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch new file mode 100644 index 0000000000..007dfb2309 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
@@ -0,0 +1,58 @@
		1	From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Mon, 7 Jul 2025 10:44:12 +0900
		4	Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
		5
		6	Previously, the _gnutls_write_new_othername function, called by
		7	gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
		8	certificate's SAN extension, freed the caller allocated ASN.1
		9	structure upon error, resulting in a potential double-free.
		10
		11	Reported by OpenAI Security Research Team.
		12
		13	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		14
		15	CVE: CVE-2025-32988
		16	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	NEWS \| 5 +++++
		20	lib/x509/extensions.c \| 2 --
		21	2 files changed, 5 insertions(+), 2 deletions(-)
		22
		23	diff --git a/NEWS b/NEWS
		24	index 025e05148..ff289fa75 100644
		25	--- a/NEWS
		26	+++ b/NEWS
		27	@@ -10,6 +10,11 @@ See the end for copying conditions.
		28	and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
		29	CVSS: medium] [CVE-2025-32989]
		30
		31	+** libgnutls: Fix double-free upon error when exporting otherName in SAN
		32	+ Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
		33	+ CVSS: low] [CVE-2025-32988]
		34	+
		35	+
		36	* Version 3.8.4 (released 2024-03-18)
		37
		38	** libgnutls: RSA-OAEP encryption scheme is now supported
		39	diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
		40	index 6c2da8fd1..e8be12eaf 100644
		41	--- a/lib/x509/extensions.c
		42	+++ b/lib/x509/extensions.c
		43	@@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
		44	result = asn1_write_value(ext, name2, oid, 1);
		45	if (result != ASN1_SUCCESS) {
		46	gnutls_assert();
		47	- asn1_delete_structure(&ext);
		48	return _gnutls_asn2err(result);
		49	}
		50
		51	@@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
		52	result = asn1_write_value(ext, name2, data, data_size);
		53	if (result != ASN1_SUCCESS) {
		54	gnutls_assert();
		55	- asn1_delete_structure(&ext);
		56	return _gnutls_asn2err(result);
		57	}
		58


diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb index 2a73a1e3d8..9644f3c50e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
30	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \	30	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
31	file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \	31	file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
32	file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \	32	file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
		33	file://CVE-2025-32988.patch \
33	"	34	"
34		35
35	SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"	36	SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"