Re: [OE-core][scarthgap][patch] gnutls: Fix CVE-2025-14831

Vijay Anusuri via lists.openembedded.org Sun, 29 Mar 2026 23:00:05 -0700

Hi Yoann,

Thanks for pointing that out.


I’ve removed the commented hunk as suggested. I had already fixed it in the
whinlatter branch, but missed sending the update for scarthgap
earlier—sorry about that.

I will send the v2 patch soon.

Thanks again for the review!

Thanks & Regards,

Vijay


On Mon, Mar 30, 2026 at 3:38 AM Yoann Congal <[email protected]> wrote:

> On Tue Feb 17, 2026 at 9:14 AM CET, Vijay Anusuri via
> lists.openembedded.org wrote:
> > Picked commits which mentions this CVE per [1].
> >
> > [1] https://ubuntu.com/security/CVE-2025-14831
> > [2] https://security-tracker.debian.org/tracker/CVE-2025-14831
> > [3] https://gitlab.com/gnutls/gnutls/-/issues/1773
> >
> > Signed-off-by: Vijay Anusuri <[email protected]>
> > ---
> >  .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
> >  .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
> >  .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
> >  .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
> >  .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
> >  .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
> >  .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
> >  .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
> >  .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
> >  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
> >  10 files changed, 1656 insertions(+)
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
> >  create mode 100644
> meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> >
> > [...]
> > diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> > new file mode 100644
> > index 0000000000..27ed995d8d
> > --- /dev/null
> > +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> > @@ -0,0 +1,437 @@
> > +Backport of:
> > +
> > +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001
> > +From: Alexander Sosedkin <[email protected]>
> > +Date: Wed, 4 Feb 2026 20:03:49 +0100
> > +Subject: [PATCH] x509/name_constraints:
> name_constraints_node_list_intersect
> > + over sorted
> > +
> > +Fixes: #1773
> > +Fixes: GNUTLS-SA-2026-02-09-2
> > +Fixes: CVE-2025-14831
> > +
> > +Signed-off-by: Alexander Sosedkin <[email protected]>
> > +
> > +Upstream-Status: Backport [
> https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1
> ]
> > +CVE: CVE-2025-14831
> > +Signed-off-by: Vijay Anusuri <[email protected]>
> > +---
> > + NEWS                        |   7 +
> > + lib/x509/name_constraints.c | 350 ++++++++++++++----------------------
> > + 2 files changed, 142 insertions(+), 215 deletions(-)
> > +
> > +#diff --git a/NEWS b/NEWS
> > +#index e506db547a..96b7484fdf 100644
> > +#--- a/NEWS
> > +#+++ b/NEWS
> > +#@@ -14,6 +14,13 @@ See the end for copying conditions.
> > +#    Reported by Jaehun Lee.
> > +#    [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
> > +#
> > +#+** libgnutls: Fix name constraint processing performance issue
> > +#+   Verifying certificates with pathological amounts of name
> constraints
> > +#+   could lead to a denial of service attack via resource exhaustion.
> > +#+   Reworked processing algorithms exhibit better performance
> characteristics.
> > +#+   Reported by Tim Scheckenbach.
> > +#+   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
> > +#+
> > +# ** libgnutls: Fix multiple unexploitable overflows
> > +#    Reported by Tim Rühsen (#1783, #1786).
> > +#
>
> Hello,
>
> When I reviewed this patch for whinlatter, I asked for this commented
> hunk to be removed. Can you also remove it here as well?
>
> Generally, since you often send patches for multiple stable branches in
> parallel, when you get a review for one branch that applies for your
> others patches, please fix those as well.
>
> Thanks!
> --
> Yoann Congal
> Smile ECS
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#234196): 
https://lists.openembedded.org/g/openembedded-core/message/234196
Mute This Topic: https://lists.openembedded.org/mt/117853869/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][scarthgap][patch] gnutls: Fix CVE-2025-14831

Reply via email to