diff --git a/SPECS/gnutls/CVE-2026-33846.patch b/SPECS/gnutls/CVE-2026-33846.patch new file mode 100644 index 00000000000..b06a6a88f2d --- /dev/null +++ b/SPECS/gnutls/CVE-2026-33846.patch @@ -0,0 +1,63 @@ +From 65ab33fa54e34fba69d793735b7df3d383d1ff78 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Fri, 17 Apr 2026 18:21:36 +0200 +Subject: [PATCH] buffers: add more checks to DTLS reassembly + +Previously, gnutls didn't check that DTLS fragments claimed +a consistent message_length value. +Additionally, a crucial array size check was missing, +enabling an attacker to cause a heap overwrite. +The updated version rejects fragments with mismatching length +and adds a missing boundary check. + +Reported-by: Haruto Kimura (Stella) +Reported-by: Oscar Reparaz +Reported-by: Zou Dikai +Fixes: #1816 +Fixes: #1838 +Fixes: #1839 +Fixes: CVE-2026-33846 +Fixes: GNUTLS-SA-2026-04-29-1 +CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H +CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H +Signed-off-by: Alexander Sosedkin + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78.patch +--- + lib/buffers.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/lib/buffers.c b/lib/buffers.c +index 672380b..0f6ae1c 100644 +--- a/lib/buffers.c ++++ b/lib/buffers.c +@@ -1009,6 +1009,26 @@ static int merge_handshake_packet(gnutls_session_t session, + &session->internals.handshake_recv_buffer[pos], hsk); + + } else { ++ if (hsk->length != session->internals.handshake_recv_buffer[pos].length) { ++ /* inconsistent across fragments */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ /* start_offset + data.length <= hsk->length <= max_length */ ++ if (hsk->length < hsk->start_offset + hsk->data.length) { ++ /* impossible claims, overflow requested */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ if (hsk->length > session->internals.handshake_recv_buffer[pos].data.max_length) { ++ /* we don't have this much allocated, overflow guard */ ++ _gnutls_handshake_buffer_clear(hsk); ++ return gnutls_assert_val( ++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH); ++ } ++ + if (hsk->start_offset < + session->internals.handshake_recv_buffer[pos] + .start_offset && +-- +2.45.4 + diff --git a/SPECS/gnutls/CVE-2026-3832.patch b/SPECS/gnutls/CVE-2026-3832.patch new file mode 100644 index 00000000000..f04a937cbd1 --- /dev/null +++ b/SPECS/gnutls/CVE-2026-3832.patch @@ -0,0 +1,70 @@ +From 731861b9de8dccaf7d3b0c1446833051e48670c2 Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin +Date: Thu, 12 Mar 2026 09:48:57 +0100 +Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass + +In check_ocsp_response(), the code first searched +for the SingleResponse that matches the certificate being validated. +But later, the status was retrieved from entry 0 unconditionally, +rather than from the matched resp_indx. +As a result, if entry 0 corresponded to a different certificate and was good, +while the matched entry for the peer certificate is revoked, +the revocation check could've mistakenly accept the certificate. + +Reported-by: Oleh Konko (1seal) +Reported-by: Joshua Rogers of AISLE Research Team +Fixes: #1801 +Fixes: #1812 +Fixes: CVE-2026-3832 +Fixes: GNUTLS-SA-2026-04-29-12 +CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N +Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9 +Signed-off-by: Alexander Sosedkin + +Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2.patch +--- + lib/cert-session.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/lib/cert-session.c b/lib/cert-session.c +index 5a4b997..53de6f1 100644 +--- a/lib/cert-session.c ++++ b/lib/cert-session.c +@@ -236,7 +236,7 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, + { + gnutls_ocsp_resp_t resp; + int ret; +- unsigned int status, cert_status; ++ unsigned int status, cert_status, resp_indx; + time_t rtime, vtime, ntime, now; + int check_failed = 0; + +@@ -277,7 +277,11 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, + goto cleanup; + } + +- ret = gnutls_ocsp_resp_check_crt(resp, 0, cert); ++ for (resp_indx = 0;; resp_indx++) { ++ ret = gnutls_ocsp_resp_check_crt(resp, resp_indx, cert); ++ if (ret == 0 || ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ++ break; ++ } + if (ret < 0) { + ret = gnutls_assert_val(0); + _gnutls_audit_log( +@@ -339,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert, + goto cleanup; + } + +- ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL, +- &cert_status, &vtime, &ntime, &rtime, +- NULL); ++ ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL, ++ NULL, &cert_status, &vtime, &ntime, ++ &rtime, NULL); + if (ret < 0) { + _gnutls_audit_log( + session, +-- +2.45.4 + diff --git a/SPECS/gnutls/gnutls.spec b/SPECS/gnutls/gnutls.spec index 1e7de6aa25d..9521dbc284d 100644 --- a/SPECS/gnutls/gnutls.spec +++ b/SPECS/gnutls/gnutls.spec @@ -1,7 +1,7 @@ Summary: The GnuTLS Transport Layer Security Library Name: gnutls Version: 3.8.3 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv3+ AND LGPLv2.1+ Vendor: Microsoft Corporation Distribution: Azure Linux @@ -20,6 +20,8 @@ Patch7: CVE-2025-32988.patch Patch8: CVE-2025-6395.patch Patch9: CVE-2025-13151.patch Patch10: CVE-2025-9820.patch +Patch11: CVE-2026-33846.patch +Patch12: CVE-2026-3832.patch BuildRequires: autogen-libopts-devel BuildRequires: gc-devel BuildRequires: libtasn1-devel @@ -101,6 +103,9 @@ sed -i 's/TESTS += test-ciphers-openssl.sh//' tests/slow/Makefile.am %{_mandir}/man3/* %changelog +* Fri May 08 2026 Azure Linux Security Servicing Account - 3.8.3-9 +- Patch for CVE-2026-3832, CVE-2026-33846 + * Wed Jan 28 2026 Akhila Guruju - 3.8.3-8 - Patch CVE-2025-9820