Debian Patches

Status for gnutls28/3.8.9-3+deb13u4

Patch Description Author Forwarded Bugs Origin Last update
14_version_gettextcat.diff Version filename of locale data (gnutls30.mo instead of gnutls.mo) This is necessary to make e.g. libgnutls26 and libgnutls28
co-installable.		 Andreas Metzler <ametzler@debian.org> no 2023-06-03
40_srptest_doubletimeout.diff Increase timeout for srp test, fixing build error on mipsel Andreas Metzler <ametzler@debian.org> yes upstream vendor 2023-06-03
41_run_cligen_on_debian.diff Check for python on Debian builds, un-disables running cligen Andreas Metzler <ametzler@debian.org> not-needed vendor 2025-02-08
45_lib-x509-x509_ext.c-Add-gnutls_free-to-avoid-memory-.patch lib/x509/x509_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free ooc if subject_alt_names_set() fails to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
46_lib-hello_ext.c-Add-gnutls_free-to-avoid-memory-leak.patch lib/hello_ext.c: Add gnutls_free() to avoid memory leak
Add gnutls_free() to free tmp_mod.name in the error handling to avoid memory leak.		 Jiasheng Jiang <jian1000@purdue.edu> no 2025-07-05
47_0001-x509-fix-read-buffer-overrun-in-SCT-timestamps.patch [PATCH 1/6] x509: fix read buffer overrun in SCT timestamps
Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0002-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch [PATCH 2/6] psk: fix read buffer overrun in the "pre_shared_key" extension

While processing the "pre_shared_key" extension in TLS 1.3, if there
are certain malformed data in the extension headers, then the code may
read uninitialized memory (2 bytes) beyond the received TLS extension
buffer. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42513990		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0003-x509-reject-zero-length-version-in-certificate-reque.patch [PATCH 3/6] x509: reject zero-length version in certificate request
Ensure zero size asn1 values are considered invalid in
gnutls_x509_crq_get_version, this ensures crq version is not used
uninitialized. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42536706		 Andrew Hamilton <adhamilt@gmail.com> no 2025-07-07
47_0004-x509-avoid-double-free-when-exporting-othernames-in-.patch [PATCH 4/6] x509: avoid double free when exporting othernames in SAN
Previously, the _gnutls_write_new_othername function, called by
gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
certificate's SAN extension, freed the caller allocated ASN.1
structure upon error, resulting in a potential double-free.

Reported by OpenAI Security Research Team.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0005-certtool-avoid-1-byte-write-buffer-overrun-when-pars.patch [PATCH 5/6] certtool: avoid 1-byte write buffer overrun when parsing template

Previously, when parsing a template file with a number of key value
pairs, certtool could write a NUL byte after the heap buffer, causing
a memory corruption. This fixes the issue by allocating the NUL byte.
Reported by David Aitel.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
47_0006-handshake-clear-HSK_PSK_SELECTED-is-when-resetting-b.patch [PATCH 6/6] handshake: clear HSK_PSK_SELECTED is when resetting binders

When a TLS 1.3 handshake involves HRR and resumption or PSK, and the
second Client Hello omits PSK, the server would result in a NULL
pointer dereference as the PSK binder information is cleared while the
HSK_PSK_SELECTED flag is still set. This makes sure that
HSK_PSK_SELECTED flag is always cleared when the PSK binders are
reset. This also makes it clear the HSK_PSK_SELECTED flag is valid
only during a handshake; after that, whether PSK is used can be
checked with gnutls_auth_client_get_type.

Reported by Stefan Bühler.		 Daiki Ueno <ueno@gnu.org> no 2025-07-07
48_0001-pkcs11-try-to-initialize-modules-in-thread-safe-mode.patch pkcs11: try to initialize modules in thread-safe mode
When modules are initialized without CKF_OS_LOCKING_OK nor custom
locking functions, they may skip their internal locking assuming that
the applications will take care of thread-safety, which is costly and
GnuTLS currently doesn't do that.

To mitigate this, this patch changes the module initialization code to
tell the modules to guarantee thread-safety by themselves. If they are
unable to do that, this falls back to the normal initialization
without C_Initialize parameters. This also omits the custom_init flag,
which indicated whether the module is initialized with
p11_kit_module_initialize or a direct call to C_Initialize, now that
modules are always initialized with C_Initialize.		 Daiki Ueno <ueno@gnu.org> no 2025-09-02
48_0002-pkcs11-avoid-stack-overwrite-when-initializing-a-tok.patch pkcs11: avoid stack overwrite when initializing a token
If gnutls_pkcs11_token_init is called with label longer than 32
characters, the internal storage used to blank-fill it would
overflow. This adds a guard to prevent that.		 Daiki Ueno <ueno@gnu.org> no 2025-11-18
49_x509-fix-incorrect-handling-in-name-constraints-merg.patch x509: fix incorrect handling in name constraints merging
As mentioned in commit ca573d65 ("x509: Fix asymmetry in name
constraints intersection", 2016-07-29), the
_gnutls_name_constraints_intersect function exhibited an
asymmetry in name constraints intersection behavior, specifically
manifested as:
1. Nodes of unique types in PERMITTED (absent in PERMITTED2) were
preserved
2. Nodes of unique types in PERMITTED2 (absent in PERMITTED) were
discarded

A 'used' flag was introduced, where if a node from PERMITTED2 was
not used for the intersection, it would be copied to PERMITTED.

However,an unresolved edge case persisted:
- When 'removed.size > 0', the 'used' flag was unconditionally set
to 1
- This prevented copying of PERMITTED2 nodes with unique types		 chenjianhu <chenjianhu@kylinos.cn> no 2025-08-01
50_0001-x509-name_constraints-use-actual-zeroes-in-universal.patch [PATCH 1/9] x509/name_constraints: use actual zeroes in universal exclude IP NC Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0002-tests-name-constraints-ip-stop-swallowing-errors.patch [PATCH 2/9] tests/name-constraints-ip: stop swallowing errors...
... now when it started to pass		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0003-x509-name_constraints-reject-some-malformed-domain-n.patch [PATCH 3/9] x509/name_constraints: reject some malformed domain names Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0004-x509-name_constraints-name_constraints_node_add_-new.patch [PATCH 4/9] x509/name_constraints: name_constraints_node_add_{new,copy} Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-05
50_0005-x509-name_constraints-introduce-a-rich-comparator.patch [PATCH 5/9] x509/name_constraints: introduce a rich comparator
These are preparatory changes before implementing N * log N intersection
over sorted lists of constraints.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-01-26
50_0006-x509-name_constraints-add-sorted_view-in-preparation.patch [PATCH 6/9] x509/name_constraints: add sorted_view in preparation...
... for actually using it later for performance gains.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0007-x509-name_constraints-implement-name_constraints_nod.patch [PATCH 7/9] x509/name_constraints: implement name_constraints_node_list_union Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0008-x509-name_constraints-make-types_with_empty_intersec.patch [PATCH 8/9] x509/name_constraints: make types_with_empty_intersection a bitmask Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
50_0009-x509-name_constraints-name_constraints_node_list_int.patch [PATCH 9/9] x509/name_constraints: name_constraints_node_list_intersect over sorted Alexander Sosedkin <asosedkin@redhat.com> no 2026-02-04
51_handshake-only-shuffle-extensions-in-the-first-Client-Hel.patch handshake: only shuffle extensions in the first Client Hello
RFC 8446 section 4.1.2 states that the second Client Hello after HRR
should preserve the same content as the first Client Hello with
limited exceptions. Since GnuTLS 3.8.5, however, the library started
shuffling the order of extensions for privacy reasons and that didn't
comply with the RFC, leading to a connectivity issue against the
server configuration with a stricter check on that.		 Daiki Ueno <ueno@gnu.org> yes debian upstream upstream, 3.8.10, commit:dc5ee80c3a28577e9de0f82fb08164e4c02b96af 2025-02-09
53_0001_gnutls-3.8.10-CVE-2026-33846-dtls-len.patch [PATCH 1/7] tests/mini-dtls-fragments: implement a basic DTLS test Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-20
53_0002_gnutls-3.8.10-CVE-2026-42009-dtls-qsort.patch [PATCH 1/2] lib/buffers: ensure packets have differing sequence numbers

There should normally be no packets with same sequence number and
differing handshake type, unless an adversary crafts them.
Discarding them allows to get rid of packets
with duplicate sequence ID in the buffer,
relieving us from the question of how to sort them later.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
53_0003_gnutls-3.8.10-CVE-2026-33845-dtls-uflow.patch [PATCH 1/5] buffers: rename a variable in parse_handshake_header Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-22
53_0004_gnutls-3.8.10-CVE-2026-42010-psk-nul.patch [PATCH 1/5] tests/pskself2: extend with RSA-PSK support Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-21
53_0005_gnutls-3.8.10-CVE-2026-3833-nc-case.patch [PATCH 1/2] x509/name-constraints: compare domain names case-insensitive

RFC 5280 7.2:
> When comparing DNS names for equality, conforming implementations
> MUST perform a case-insensitive exact match on the entire DNS name.
> When evaluating name constraints, conforming implementations MUST
> perform a case-insensitive exact match on a label-by-label basis.

Domain name comparison during name constraints processing
was case-sensitive. For excluded name constraints, this could lead to
incorrectly accepting domain names that should've been rejected.
The code for comparing domain names and domain name parts of emails
has been modified to perform case-insensitive comparison instead.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-16
53_0006_gnutls-3.8.10-CVE-2026-42011-nc-intersect.patch [PATCH 1/2] x509/name_constraints: fix intersecting empty constraints
Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.

With this change, they are taken into account and propagate.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14
53_0007_gnutls-3.8.10-CVE-2026-42012-url-san-cn.patch [PATCH 1/5] x509/virt-san: a small OOM-correctness fix Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-28
53_0008_gnutls-3.8.10-CVE-2026-42013-oversized-san.patch [PATCH 1/3] x509/email-verify: call fallback DN fallback
A comment was inaccurately referring to DN email field fallback
as CN fallback.
Rename a few things as well to match x509/hostname-verify more closely.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-15
53_0009_gnutls-3.8.10-CVE-2026-42014-so-pin-uaf.patch pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
oldpin == NULL for a token that lacks a protected authentication path
led to a use-after-free.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-18
53_0010_gnutls-3.8.10-CVE-2026-5260-p11-rsa-overread.patch [PATCH 1/2] lib/auth/rsa: check that ciphertext matches the modulus size

A client sending extremely short premaster secret as part of an
RSA key exchange could've theoretically triggered a short heap overread
to nowhere when the RSA key was backed with a PKCS#11 token.
With this fix, the internal decryption function will not be called
with an mismatching plaintext length specified, avoiding the overread.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-30
53_0011_gnutls-3.8.10-CVE-2026-42015-p12-bag32.patch x509/pkcs12_bag: fix off-by-one in bag element bounds check
Appending elements to a PKCS#12 bag had a bounds check that
prevented adding the 32nd element.
On the other hand, it is possible to import one that already has 32.
Subsequent appending then led to writing past the 32-element array,
smashing its length.

Tighten the check to reject any bag with 32 or more elements.

We'll treat this vulnerability as a Low due to how contrived
the requirements are: for the code to be vulnerable,
it needs to append to an imported untrusted unencrypted PKCS#12 structure.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-20
53_0012_gnutls-3.8.10-CVE-2026-3832-ocsp-rev-0.patch [PATCH 1/5] cert-session: fix multi-entry OCSP revocation bypass
In check_ocsp_response(), the code first searched
for the SingleResponse that matches the certificate being validated.
But later, the status was retrieved from entry 0 unconditionally,
rather than from the matched resp_indx.
As a result, if entry 0 corresponded to a different certificate and was good,
while the matched entry for the peer certificate is revoked,
the revocation check could've mistakenly accept the certificate.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-12
53_0013_gnutls-3.8.10-CVE-2026-5419-p7-constant-time.patch [PATCH 1/2] gnutls_cipher_decrypt3: make PKCS#7 unpadding branch free
This tries to make the logic of PKCS#7 padding removal constant-time,
by removing potential branching operations.		 Daiki Ueno <ueno@gnu.org> no 2026-04-01
53_0014_gnutls-3.8.10-1808-psk-rehandshake.patch [PATCH 1/3] handshake-checks: fix username comparison during rehandshake

This is definitely a security issue
subverting the GNUTLS_ALLOW_ID_CHANGE protection,
but its real-life exploitability is under question.		 Joshua Rogers <joshua@joshua.hu> no 2026-03-18
53_0015_gnutls-3.8.10-1810-ocsp-truncated-eku.patch [PATCH 1/3] x509/ocsp: check OCSP delegated signer EKU OID to full length

The retrieved certificate purpose OID was compared against the expected
1.3.6.1.5.5.7.3.9 value without checking if the lengths were identical,
allowing a value that constitutes a prefix to match.
The check now compares the length as well.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-03-19
53_0017_gnutls-3.8.10-1818-rsa-coprime.patch nettle/pk: check RSA key coprimality in verify_params
Previously, gnutls_privkey_verify_params has overlooked
the scenario of p and q not being co-prime,
and proceeded with undefined behaviour that was extremely likely
to error out in practice anyway.
Now it returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
53_0018_gnutls-3.8.10-1818-pem-parsing.patch [PATCH 1/2] lib/x509/privkey_openssl: mind header size more carefully
When parsing private keys in OpenSSL PEM format, GnuTLS did not perform
sufficient bounds checking for the length of the PEM header being parsed.
For specially crafted inputs, this could lead to heap overreads.
There was no confidentiality risk and
the crash potential was limited to instrumented builds in practice.
This change instates the overlooked bounds checking.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
53_0019_gnutls-3.8.10-1819-dblfree-mid-import.patch lib/x509: fix cleanup when gnutls_x509_crt_list_import_pkcs11 fails

Previously gnutls_x509_trust_list_remove_trust_file tried to free
the entire xcrt_list, even though one source of failures is
gnutls_pkcs11_obj_list_import_url2 that deinits it up to the correct
position.

With this change, both functions zero unused entries.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-10
53_0020_gnutls-3.8.10-1822-sct-overread.patch lib/x509/x509_ext: avoid a heap overread in SCT extension parser

Parsing a specially crafted SCT extension could previously lead to
a short heap overread.
The list-length validation didn't account for the 2-byte length field.

The fix now accounts for the header field length,
ensuring the parsing stays within the buffer.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-13
53_0021_gnutls-3.8.10-1841-hybrid-kx-zeroize.patch key_share: zeroize derived shared secret after compositing Daiki Ueno <ueno@gnu.org> no 2026-04-15
53_0022_gnutls-3.8.10-1823-cfg-clear-options.patch [PATCH 1/2] src/cfg: fix iterating in clear_options, on the error path

Calling testing tools bundled with GnuTLS with malformed arguments
could lead to crashing them.
This change makes the error path of option parsing more robust.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-14
53_0023_gnutls-3.8.10-1817-security-parameters.patch session_pack: validate session_id_size on unpacking
A check for session_id_size not exceeding GNUTLS_MAX_SESSION_ID_SIZE
on loading persisted TLS session data was overlooked,
leading to a heap overflow
were the data corrupted in a malicious manner.		 Alexander Sosedkin <asosedkin@redhat.com> no 2026-04-07
53_0025__gnutls_pkcs7_unpad-add-missing-declaration.patch _gnutls_pkcs7_unpad: add missing declaration Daiki Ueno <ueno@gnu.org> no 2026-05-07

All known versions for source package 'gnutls28'

Links