2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
new file mode 100644
index 0000000000..4779787bc3
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
@@ -0,0 +1,58 @@
+From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 7 Jul 2025 10:44:12 +0900
+Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
+Previously, the _gnutls_write_new_othername function, called by
+gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
+certificate's SAN extension, freed the caller allocated ASN.1
+structure upon error, resulting in a potential double-free.
+Reported by OpenAI Security Research Team.
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+CVE: CVE-2025-32988
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ NEWS                  | 5 +++++
+ lib/x509/extensions.c | 2 --
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+diff --git a/NEWS b/NEWS
+index 025e05148..ff289fa75 100644
+--- a/NEWS
+++ b/NEWS
+@@ -10,6 +10,11 @@ See the end for copying conditions.
+    and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
+    CVSS: medium] [CVE-2025-32989]
+ 
+** libgnutls: Fix double-free upon error when exporting otherName in SAN
+   Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
+   CVSS: low] [CVE-2025-32988]
+
+
+ * Version 3.7.4 (released 2022-03-17)
+ 
+ ** libgnutls: Fixed double free during verification of pkcs7 signatures.
+diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
+index 6c2da8fd1..e8be12eaf 100644
+--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
+@@ -805,7 +805,6 @@ _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+        result = asn1_write_value(ext, name2, oid, 1);
+        if (result != ASN1_SUCCESS) {
+                gnutls_assert();
+-               asn1_delete_structure(&ext);
+                return _gnutls_asn2err(result);
+        }
+ 
+@@ -814,7 +813,6 @@ _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
+        result = asn1_write_value(ext, name2, data, data_size);
+        if (result != ASN1_SUCCESS) {
+                gnutls_assert();
+-               asn1_delete_structure(&ext);
+                return _gnutls_asn2err(result);
+        }
+ 
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 65e42c00c2..33553e617e 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -35,6 +35,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
           file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
           file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
           file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
+           file://CVE-2025-32988.patch \
           "
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch new file mode 100644 index 0000000000..4779787bc3 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
@@ -0,0 +1,58 @@
		1	From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001
		2	From: Daiki Ueno <ueno@gnu.org>
		3	Date: Mon, 7 Jul 2025 10:44:12 +0900
		4	Subject: [PATCH] x509: avoid double free when exporting othernames in SAN
		5
		6	Previously, the _gnutls_write_new_othername function, called by
		7	gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
		8	certificate's SAN extension, freed the caller allocated ASN.1
		9	structure upon error, resulting in a potential double-free.
		10
		11	Reported by OpenAI Security Research Team.
		12
		13	Signed-off-by: Daiki Ueno <ueno@gnu.org>
		14
		15	CVE: CVE-2025-32988
		16	Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	NEWS \| 5 +++++
		20	lib/x509/extensions.c \| 2 --
		21	2 files changed, 5 insertions(+), 2 deletions(-)
		22
		23	diff --git a/NEWS b/NEWS
		24	index 025e05148..ff289fa75 100644
		25	--- a/NEWS
		26	+++ b/NEWS
		27	@@ -10,6 +10,11 @@ See the end for copying conditions.
		28	and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
		29	CVSS: medium] [CVE-2025-32989]
		30
		31	+** libgnutls: Fix double-free upon error when exporting otherName in SAN
		32	+ Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
		33	+ CVSS: low] [CVE-2025-32988]
		34	+
		35	+
		36	* Version 3.7.4 (released 2022-03-17)
		37
		38	** libgnutls: Fixed double free during verification of pkcs7 signatures.
		39	diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
		40	index 6c2da8fd1..e8be12eaf 100644
		41	--- a/lib/x509/extensions.c
		42	+++ b/lib/x509/extensions.c
		43	@@ -805,7 +805,6 @@ _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
		44	result = asn1_write_value(ext, name2, oid, 1);
		45	if (result != ASN1_SUCCESS) {
		46	gnutls_assert();
		47	- asn1_delete_structure(&ext);
		48	return _gnutls_asn2err(result);
		49	}
		50
		51	@@ -814,7 +813,6 @@ _gnutls_write_new_othername(asn1_node ext, const char *ext_name,
		52	result = asn1_write_value(ext, name2, data, data_size);
		53	if (result != ASN1_SUCCESS) {
		54	gnutls_assert();
		55	- asn1_delete_structure(&ext);
		56	return _gnutls_asn2err(result);
		57	}
		58


diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 65e42c00c2..33553e617e 100644 --- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -35,6 +35,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
35	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \	35	file://5477db1bb507a35e8833c758ce344f4b5b246d8e \
36	file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \	36	file://0001-x509-reject-zero-length-version-in-certificate-reque.patch \
37	file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \	37	file://3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 \
		38	file://CVE-2025-32988.patch \
38	"	39	"
39		40
40	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"	41	SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"