|
| 1 | +From 11bb6396dd2cf7a0ac84b5a5d7a6f4ddeda4c54a Mon Sep 17 00:00:00 2001 |
| 2 | +From: Alexander Sosedkin <asosedkin@redhat.com> |
| 3 | +Date: Tue, 21 Apr 2026 19:26:10 +0200 |
| 4 | +Subject: [PATCH] lib/auth/rsa_psk: fix binary PSK identity lookup |
| 5 | + |
| 6 | +A server looking up PSK username with a NUL-character in it |
| 7 | +was wrongfully matching username truncated at a NUL-character. |
| 8 | +Fix the check to compare up to the full username length. |
| 9 | + |
| 10 | +Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> |
| 11 | +Fixes: #1850 |
| 12 | +Fixes: CVE-2026-42010 |
| 13 | +Fixes: GNUTLS-SA-2026-04-29-4 |
| 14 | +CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
| 15 | +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com> |
| 16 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 17 | +Upstream-reference: https://gitlab.com/gnutls/gnutls/-/commit/cb1833afd9b6309563211b1c0a7c291f52ca98d5.patch |
| 18 | +--- |
| 19 | + lib/auth/rsa_psk.c | 3 +-- |
| 20 | + 1 file changed, 1 insertion(+), 2 deletions(-) |
| 21 | + |
| 22 | +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c |
| 23 | +index 399fb4d..a14de46 100644 |
| 24 | +--- a/lib/auth/rsa_psk.c |
| 25 | ++++ b/lib/auth/rsa_psk.c |
| 26 | +@@ -321,8 +321,7 @@ static int _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, |
| 27 | + * filled in if the key is not found. |
| 28 | + */ |
| 29 | + ret = _gnutls_psk_pwd_find_entry(session, info->username, |
| 30 | +- strlen(info->username), &pwd_psk, |
| 31 | +- NULL); |
| 32 | ++ info->username_len, &pwd_psk, NULL); |
| 33 | + if (ret < 0) |
| 34 | + return gnutls_assert_val(ret); |
| 35 | + |
| 36 | +-- |
| 37 | +2.45.4 |
| 38 | + |
0 commit comments