From patchwork Mon May 4 17:40:58 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9806 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g8TTK6FyMz3wkB for ; Mon, 04 May 2026 17:41:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g8TTK3RcPz76S for ; Mon, 04 May 2026 17:41:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g8TTJ54Dlz33td for ; Mon, 04 May 2026 17:41:08 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g8TTG09y3z3323 for ; Mon, 04 May 2026 17:41:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g8TTD1sxNz1Gp; Mon, 04 May 2026 17:41:04 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777916464; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vd/GwJyDmmkIGmuQ6l302/Izqb9EtNIXGOUl1Ya/F6U=; b=+Aq9SvBo8YDnH2DN7r4LExS/y4hE2w6RZpRg/XMKp23h3gbwRuX4aD94gmi9NEIKVkMXkW 0z0ah4VoL5OyHhAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777916464; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vd/GwJyDmmkIGmuQ6l302/Izqb9EtNIXGOUl1Ya/F6U=; b=T4YwGQcVS9+T2jEhUNv+pKEB2hMEqMD6+DTIJYJy42Mwg7vXq4uFxUb+eiB7touif8xITK uUeKEWDFjIO6RNEidsHQPLkaLpcsy2PlgUldzNfAwdMJZituaRUCdkQZFdTUDOxf6SfbMv ezGgbTFxRgGh282xWahd9go7Px9sVu9uv0NDAC9A5WV2q26cUzprv0NUIevZpk5wXJ0qwz 8tipdlZquuVZu/0fYpk3sqtITySwtnX7dI8bnyTRFuh56NR36OF9CX+Ek2NZauaKviJzNt GtkGsKkE2sWlLNk+/1qNShqm3qNvLT5Vvl52k/42pN+YmTsnnwoC9S75f7NKvQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] gnutls: Update to version 3.8.13 Date: Mon, 4 May 2026 19:40:58 +0200 Message-ID: <20260504174059.3648098-3-adolf.belka@ipfire.org> In-Reply-To: <20260504174059.3648098-1-adolf.belka@ipfire.org> References: <20260504174059.3648098-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 3.8.11 to 3.8.13 - Update of rootfile - 13 CVE Fixes in 3.8.13 - 2 CVE Fixes in 3.8.12 - Changelog 3.8.13 ** libgnutls: Add more checks to DTLS reassembly Previously, gnutls didn't check that DTLS fragments claimed a consistent message_length value. Additionally, a crucial array size check was missing, enabling an attacker to cause a heap overwrite. Reject fragments with mismatching length and add a missing boundary check. Independently reported by Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai. [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846] ** libgnutls: Fix qsort comparator in DTLS reassembly The comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to unstable ordering or undefined behaviour. Return 0 in such cases makes the sorting stable. Additionally, discard packets with same sequence numbers and differing handshake type, so that they don't end up being sorted in the first place. Reported by Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009] ** libgnutls: Fix crashing on an underflow with a DTLS datagram A remotely triggerable underflow in the DTLS reassembly code led to a heap overrun. Prevent the underflow from happening. Reported by Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845] ** libgnutls: Fix RSA-PSK identity truncation Servers configured with RSA-PSK have wrongfully matched usernames with NUL character in them to ones truncated to NUL character, which could lead to an authentication bypass. Fix the check to perform comparison up to the full username length. Reported by Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010] ** libgnutls: Fix case-sensitivity of domain name comparison in name constraints Domain name comparison during name constraints processing was case-sensitive, violating RFC 5280 section 7.2. For excluded name constraints, this could lead to incorrectly accepting domain names that should've been rejected. DNS name comparison and the domain part of email names now perform case-insensitive comparison. Independently reported by Oleh Konko (1seal) and Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833] ** libgnutls: Fix intersecting empty constraints Permitted name constraints were wrongfully ignored when prior CAs only had excluded name constraints, resulting in a name constraint bypass. Reported by Haruto Kimura (Stella). [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011] ** libgnutls: Suppress CN fallback in presence of URI and SRV SAN Certificates containing URI or SRV Subject Alternative Names no longer fall back to checking DNS hostnames against Common Name to avoid potential misuse of such certificates beyond their original purpose. Reported by Oleh Konko (1seal). [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012] ** libgnutls: Suppress CN fallback for oversized SAN Validation of certificates with oversized Subject Alternative Names no longer falls back to checking DNS hostnames against Common Name. Independently reported by Haruto Kimura (Stella) and Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013] ** libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free. Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014] ** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys For a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread. Reported by Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260] ** libgnutls: Fix off-by-one in PKCS#12 bag element bounds check Appending to a PKCS#12 bag that already contained 32 elements could write past the bag's internal array. Reported by Zou Dikai. [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015] ** libgnutls: Fix multi-entry OCSP response revocation bypass When validating a certificate against a multi-entry OCSP response, the revocation status was always checked for the first entry instead of the entry matching the certificate, which could lead to accepting revoked certificates. Independently reported by Oleh Konko (1seal) and Joshua Rogers of AISLE Research Team. [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832] ** libgnutls: Fix timing side-channel in PKCS#7 padding removal The PKCS#7 padding check performed during decryption was not constant-time, potentially leaking information about the padding bytes through timing differences. Rewritten to remove padding in a branch-free manner. Reported by Doria Tang of Stony Brook University. [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419] ** libgnutls: Fix PSK username comparison during rehandshake Rehandshaking to a username with embedded NUL character could theoretically allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808). Reported and fixed by Joshua Rogers of AISLE Research Team. ** libgnutls: Fix OID length check for OCSP delegated signer EKU The OCSP signing EKU OID was compared without verifying its length, allowing a shorter OID that shares the same prefix to match. The check now verifies the length as well (#1810). Reported by Joshua Rogers of AISLE Research Team. ** libgnutls: Fix AES keys persisting with pkcs11-provider When using the pkcs11-provider, AES keys used for cipher operations were created as persistent objects and accumulating. They are now ephemeral (#1813). ** libgnutls: Fix missing RSA key coprimality check in verify_params gnutls_privkey_verify_params overlooked the scenario of p and q not being co-prime. It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818). Reported by Kamil Frankowicz. ** libgnutls: Fix overread when parsing OpenSSL PEM private keys Insufficient bounds checking on the PEM header length could lead to short heap overreads on specially crafted inputs (#1854). Independently reported by Kamil Frankowicz and Joshua Rogers of AISLE Research Team. ** libgnutls: Fix a theoretical double-free during certificate import If gnutls_x509_crt_list_import_pkcs11 failed partway through, the trust list cleanup code would try to free already-deinitialized certificate entries, leading to a double-free (#1819). Reported by Joshua Rogers of AISLE Research Team. ** libgnutls: Fix heap overread in SCT extension parser The list-length validation didn't account for the 2-byte length field, allowing a specially crafted SCT extension to cause a 2-byte overread past the buffer (#1822). Reported by Joshua Rogers of AISLE Research Team. ** libgnutls: Zeroize shared secret derived during hybrid key exchange The derived shared secret was not zeroized before being freed (#1841). Reported by liyue. ** build: Support building with Nettle 4.0 Nettle 4.0 was released in Feburary 2026, with API incompatibile changes from 3.10. The library can now compile with it, while Nettle 3.10 is still supported (#1791). ** libgnutls: Support deriving ML-DSA public key from an expanded private key RFC 9881 defines 3 private key formats for ML-DSA: "seed", "expandedKey" and both. It is now possible to derive a public key from a private key in the "expandedKey" format (#1723). ** libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11 For compatibility reasons, the library supports two formats for EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING (DER). Previously, loading a private key in the former format resulted in a failure, which is now fixed (#1749). ** libgnutls: HPKE (RFC 9180) is now supported as a technology preview The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic protocol which enables to encrypt arbitrary data to a recipient, by combining key encapsulation mechanism (KEM) and authenticated encryption with additional data (AEAD). GnuTLS now includes the implementation contributed by David Dudas. Given this is a technology preview, the implementation and the API might suffer modification in the following period. Use --enable-hpke to turn on this feature (#1506). ** libgnutls: Fix TLS 1.3 client certificate selection For servers that send a signature_algorithms extension in CertificateRequest with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones, the client now properly considers RSA when selecting a certificate to send. This fixes TLS 1.3 interoperability with newer Java servers when using client certificates. Contributed by Romain Tartière (#1842). ** libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2 When using kTLS with ChaCha20-Poly1305 under TLS 1.2, an incorrect value was passed as the IV to the kernel, causing connections to fail early. ** libgnutls: Allow fetching object type metadata for PKCS#11 keys A new library function, gnutls_pkcs11_obj_get_pk_algorithm, has been added to check the public key algorithms of PKCS#11 key objects. Object types other than CKO_PRIVATE_KEY are currently not supported. Contributed by Ghadi Elie Rahme (!2074). ** API and ABI modifications: gnutls_hpke_kem_t: New enum gnutls_hpke_kdf_t: New enum gnutls_hpke_aead_t: New enum gnutls_hpke_mode_t: New enum gnutls_hpke_role_t: New enum gnutls_hpke_context_st: New context structure gnutls_hpke_init: New function gnutls_hpke_deinit: New function gnutls_hpke_encap: New function gnutls_hpke_seal: New function gnutls_hpke_decap: New function gnutls_hpke_open: New function gnutls_hpke_derive_keypair: New function gnutls_hpke_export: New function gnutls_pkcs11_obj_get_pk_algorithm: New function 3.8.12 ** libgnutls: Fix NULL pointer dereference in PSK binder verification A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server. The updated code guards against the problematic dereference. Reported by Jaehun Lee. [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584] ** libgnutls: Fix name constraint processing performance issue Verifying certificates with pathological amounts of name constraints could lead to a denial of service attack via resource exhaustion. Reworked processing algorithms exhibit better performance characteristics. Reported by Tim Scheckenbach. [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831] ** libgnutls: Fix multiple unexploitable overflows Reported by Tim Rühsen (#1783, #1786). ** libgnutls: Fall back to thread-unsafe module initialization Improve fallback handling for PKCS#11 modules that don't support thread-safe initialization (#1774). Also return filename from p11_kit_module_get_name() for unconfigured modules. ** libgnutls: Accept NULL as digest argument for gnutls_hash_output The accelerated implementation of gnutls_hash_output() now properly accepts NULL as the digest argument, matching the behavior of the reference implementation (#1769). ** srptool: Avoid a stack buffer overflow when processing large SRP groups. Reported and fixed by Mikhail Dmitrichenko (#1777). ** API and ABI modifications: No changes since last version. Signed-off-by: Adolf Belka --- config/rootfiles/common/gnutls | 12 +++++++++++- lfs/gnutls | 13 ++++++------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 52c3b6764..c02780dfb 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -13,6 +13,7 @@ usr/bin/psktool #usr/include/gnutls/dtls.h #usr/include/gnutls/gnutls.h #usr/include/gnutls/gnutlsxx.h +#usr/include/gnutls/hpke.h #usr/include/gnutls/ocsp.h #usr/include/gnutls/openpgp.h #usr/include/gnutls/pkcs11.h @@ -32,7 +33,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.41.0 +usr/lib/libgnutls.so.30.42.0 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.30 @@ -395,6 +396,14 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/man/man3/gnutls_hmac_init.3 #usr/share/man/man3/gnutls_hmac_output.3 #usr/share/man/man3/gnutls_hmac_set_nonce.3 +#usr/share/man/man3/gnutls_hpke_decap.3 +#usr/share/man/man3/gnutls_hpke_deinit.3 +#usr/share/man/man3/gnutls_hpke_derive_keypair.3 +#usr/share/man/man3/gnutls_hpke_encap.3 +#usr/share/man/man3/gnutls_hpke_export.3 +#usr/share/man/man3/gnutls_hpke_init.3 +#usr/share/man/man3/gnutls_hpke_open.3 +#usr/share/man/man3/gnutls_hpke_seal.3 #usr/share/man/man3/gnutls_idna_map.3 #usr/share/man/man3/gnutls_idna_reverse_map.3 #usr/share/man/man3/gnutls_init.3 @@ -514,6 +523,7 @@ usr/lib/libgnutlsxx.so.30.0.0 #usr/share/man/man3/gnutls_pkcs11_obj_get_exts.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_flags.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_info.3 +#usr/share/man/man3/gnutls_pkcs11_obj_get_pk_algorithm.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_ptr.3 #usr/share/man/man3/gnutls_pkcs11_obj_get_type.3 #usr/share/man/man3/gnutls_pkcs11_obj_import_url.3 diff --git a/lfs/gnutls b/lfs/gnutls index c869100ba..ac2afb361 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -24,7 +24,7 @@ include Config -VER = 3.8.11 +VER = 3.8.13 THISAPP = gnutls-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 54ec3fb396187294ae59c65fa92a515175d8ab19d9f5656569b372b5764b3090724aaa8cedd9467b530f2c74e86a6bfd956d3bd9439a7b69656dcc24e303cbe6 +$(DL_FILE)_BLAKE2 = 80677a45a7c6f892287020e3e6b0add2432f2c64a4c9a649ce889921ac65b44931504ad0682ccc12e4b6d8f94c1a72e35c50673c9d04bd4e327063b812339380 install : $(TARGET) @@ -70,11 +70,10 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && \ - ./configure \ - --prefix=/usr \ - --without-p11-kit \ - --disable-openssl-compatibility + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --without-p11-kit \ + --disable-openssl-compatibility cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP)