[AutoPR- Security] Patch gnutls for CVE-2026-3832, CVE-2026-33846, CVE-2026-42010 [MEDIUM]

[azurelinux-security]

Auto Patch gnutls for CVE-2026-3832, CVE-2026-33846, CVE-2026-42010.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1113114&view=results
Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1118668&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch gnutls for CVE-2026-3832 (LOW), CVE-2026-33846 (MEDIUM), CVE-2026-42010 (MEDIUM).

Change Log

• CVE-2026-3832
• CVE-2026-33846
• CVE-2026-42010

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-3832
• https://nvd.nist.gov/vuln/detail/CVE-2026-33846
• https://nvd.nist.gov/vuln/detail/CVE-2026-42010

Test Methodology

• Pipeline build id: Buddy Build URL
• Pipeline build id: Buddy Build URL

[Kanishk-Bansal]

Buddy Build

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-33846, CVE-2026-3832

PR #17101 — [AutoPR- Security] Patch gnutls for CVE-2026-3832, CVE-2026-33846 [MEDIUM]
Package: gnutls | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 8 → 9
Patch entry	✅	Patch entries added: ['CVE-2026-33846.patch', 'CVE-2026-3832.patch'] (covers ['CVE-2026-33846', 'CVE-2026-3832'])
Patch application	✅	%autosetup/%autopatch found in full spec — patches applied automatically
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

• Build status: ✅ PASSED
• Artifact downloaded: ✅
• CVE applied during build: ✅
• Warnings (47):
  • L949: time="2026-05-13T11:47:44Z" level=debug msg="configure: WARNING: *** LIBIDN2 was not found. You will not be able to use IDN2008 support"
  • L964: time="2026-05-13T11:47:44Z" level=debug msg="configure: WARNING:"
  • L971: time="2026-05-13T11:47:44Z" level=debug msg="configure: WARNING:"
  • L984: time="2026-05-13T11:47:44Z" level=debug msg="configure: WARNING: *** LIBBROTLI was not found. You will not be able to use BROTLI compression."
  • L1032: time="2026-05-13T11:47:46Z" level=debug msg="config.status: creating fuzz/Makefile"
  • L1098: time="2026-05-13T11:47:46Z" level=debug msg="configure: WARNING:"
  • L5398: time="2026-05-13T11:47:52Z" level=debug msg="serv.c:1139:9: warning: ignoring return value of 'write' declared with attribute 'warn_unused_result' [-Wunused-result]"
  • L5411: time="2026-05-13T11:47:52Z" level=debug msg="ocsptool.c:532:32: warning: use of uninitialized value 'chain[1]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]"
  • L6111: time="2026-05-13T11:47:53Z" level=debug msg="aclocal.m4:17: warning: this file was generated for autoconf 2.71."
  • L6136: time="2026-05-13T11:47:55Z" level=debug msg="utils.c:96:9: warning: ignoring return value of 'vasprintf' declared with attribute 'warn_unused_result' [-Wunused-result]"
  • … and 37 more

🤖 AI Build Log Analysis

• Risk: low
• Summary: The gnutls 3.8.3-9.azl3 package built successfully with the CVE-2026-33846 and CVE-2026-3832 patches applied during %prep using strict patching (--fuzz=0). The configure, compile, install, debuginfo extraction, and RPM packaging steps completed without errors, producing gnutls, gnutls-devel, and gnutls-debuginfo RPMs. Tests were explicitly disabled (--nocheck).
• AI-detected warnings:
  • rpmbuild warning: Could not canonicalize hostname: fa33411cc000000

---

🧪 Test Log Analysis

• Test status: ❌ FAILED
• Test errors (5):
  • L8860: time="2026-05-13T11:48:36Z" level=debug msg="# ERROR: 0"
  • L14794: time="2026-05-13T11:50:22Z" level=debug msg="# ERROR: 0"
  • L15097: time="2026-05-13T11:51:06Z" level=debug msg="# ERROR: 0"
  • L15180: time="2026-05-13T11:51:19Z" level=debug msg="# ERROR: 0"
  • L15446: time="2026-05-13T11:51:20Z" level=debug msg="# ERROR: 0"
• Test warnings (301):
  • L949: time="2026-05-13T11:48:13Z" level=debug msg="configure: WARNING: *** LIBIDN2 was not found. You will not be able to use IDN2008 support"
  • L964: time="2026-05-13T11:48:13Z" level=debug msg="configure: WARNING:"
  • L971: time="2026-05-13T11:48:13Z" level=debug msg="configure: WARNING:"
  • L984: time="2026-05-13T11:48:14Z" level=debug msg="configure: WARNING: *** LIBBROTLI was not found. You will not be able to use BROTLI compression."
  • L1032: time="2026-05-13T11:48:15Z" level=debug msg="config.status: creating fuzz/Makefile"
  • L1107: time="2026-05-13T11:48:15Z" level=debug msg="configure: WARNING:"
  • L5389: time="2026-05-13T11:48:20Z" level=debug msg="serv.c:1139:9: warning: ignoring return value of 'write' declared with attribute 'warn_unused_result' [-Wunused-result]"
  • L5408: time="2026-05-13T11:48:20Z" level=debug msg="ocsptool.c:532:32: warning: use of uninitialized value 'chain[1]' [CWE-457] [-Wanalyzer-use-of-uninitialized-value]"
  • L6111: time="2026-05-13T11:48:21Z" level=debug msg="aclocal.m4:17: warning: this file was generated for autoconf 2.71."
  • L6140: time="2026-05-13T11:48:23Z" level=debug msg="utils.c:96:9: warning: ignoring return value of 'vasprintf' declared with attribute 'warn_unused_result' [-Wunused-result]"

🤖 AI Test Log Analysis

• Risk: medium
• Summary: The GnuTLS package built successfully and the test suite completed with no failures. The fuzzing tests reported a total of 25 tests with 8 passing and 17 skipped, and no errors. CVE patches for CVE-2026-33846 and CVE-2026-3832 applied cleanly during %prep. While there were no regressions or failures observed, a significant number of security-relevant fuzzers (e.g., handshake and client/server fuzzers) were skipped, which limits direct validation coverage of the patched code paths.

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the same three defensive checks to DTLS handshake fragment reassembly as upstream, ensuring consistent message length across fragments and guarding against buffer overflow. It references the handshake buffer via session->internals.handshake_recv_buffer instead of a local recv_buf alias, reflecting adaptation to the target branch, but is otherwise functionally identical. | The PR patch backports the upstream fix and adapts it to an older codebase by adding the missing search for the correct OCSP SingleResponse index (resp_indx) and then using that index when retrieving the certificate status. Functionally, it addresses the same vulnerability by ensuring the status is taken from the matched entry rather than unconditionally from entry 0.

Detailed analysis

1. Core fix equivalence: The upstream patch adds three checks in the non-initial-fragment path of merge_handshake_packet(): (a) reject fragments whose hsk->length differs from the reassembly buffer's length; (b) ensure hsk->length >= hsk->start_offset + hsk->data.length; and (c) ensure hsk->length <= reassembly_buffer.data.max_length. On failure, it clears hsk and returns GNUTLS_E_UNEXPECTED_PACKET_LENGTH. The PR patch adds the same three checks with identical logic and return codes.

2. Differences: The upstream code references recv_buf[pos], whereas the PR directly references session->internals.handshake_recv_buffer[pos]. This is a context adaptation likely due to differences in the target branch (no recv_buf alias), not a logic change. Line numbers and index IDs also differ, consistent with a backport. The PR is packaged as SPECS/gnutls/CVE-2026-33846.patch and includes an upstream reference URL, but the code hunk content matches.

3. Missing hunks: None. The PR includes all 20 insertions present in the upstream patch's functional section. No additional upstream changes are omitted in the relevant function.

4. Completeness and regression risk: The fix is complete with respect to the upstream change set for this function. It should correctly prevent out-of-bounds writes during DTLS handshake reassembly and reject inconsistent fragments. Potential regressions are limited to stricter validation rejecting malformed or non-conformant peers, which is intended. Given the straightforward nature of the added checks and identical logic, overall risk is low.

5. Context safety: The use of session->internals.handshake_recv_buffer[pos] aligns with surrounding code in the PR patch context (e.g., the adjacent _gnutls_handshake_buffer_move call uses the same reference). This indicates a safe and intentional adaptation to the target codebase.

---

1. Core fix equivalence: Upstream fixes the bug by changing gnutls_ocsp_resp_get_single(resp, 0, ...) to gnutls_ocsp_resp_get_single(resp, resp_indx, ...), relying on resp_indx having been determined earlier in the function. The PR patch implements the same essential change, ensuring the status is taken from the matched SingleResponse entry, thereby closing the revocation-bypass issue.

2. Additional context/backporting: The Azure Linux codebase did not appear to have the earlier upstream logic that computed resp_indx. The PR patch therefore introduces:

• Declaration of resp_indx.
• A loop over SingleResponse entries using gnutls_ocsp_resp_check_crt(resp, resp_indx, cert) to find the matching index, breaking on success (ret == 0) or when no more entries are available (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE). If no match is found, the function proceeds to the existing error-handling path.
• Replacement of the later get_single call to use resp_indx instead of 0.

3. Differences vs upstream patch: Upstream only modified the get_single call because the search for resp_indx already existed there. The PR patch adds the missing search loop and index variable to align behavior with upstream before making get_single use resp_indx. No upstream hunks are missing; the PR includes the necessary additional changes to compensate for the older base.

4. Risk considerations: The added loop is straightforward: it scans entries until a match is found or until entries are exhausted. The error-handling flow is consistent with treating "no matching SingleResponse" as a failure. Using resp_indx in get_single is identical to upstream’s fix. Potential behavioral differences are minimal and stem from the newly introduced search loop; however, this mirrors upstream’s intended logic. Overall risk is low, and the security issue is correctly addressed.

Raw diff (upstream vs PR)

--- upstream
+++ pr
@@ -1,61 +1,69 @@
-From 65ab33fa54e34fba69d793735b7df3d383d1ff78 Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Fri, 17 Apr 2026 18:21:36 +0200
-Subject: [PATCH] buffers: add more checks to DTLS reassembly
-
-Previously, gnutls didn't check that DTLS fragments claimed
-a consistent message_length value.
-Additionally, a crucial array size check was missing,
-enabling an attacker to cause a heap overwrite.
-The updated version rejects fragments with mismatching length
-and adds a missing boundary check.
-
-Reported-by: Haruto Kimura (Stella)
-Reported-by: Oscar Reparaz
-Reported-by: Zou Dikai
-Fixes: #1816
-Fixes: #1838
-Fixes: #1839
-Fixes: CVE-2026-33846
-Fixes: GNUTLS-SA-2026-04-29-1
-CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
-CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
----
- lib/buffers.c | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/lib/buffers.c b/lib/buffers.c
-index d54c770228..5d4d162768 100644
---- a/lib/buffers.c
-+++ b/lib/buffers.c
-@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
- 		_gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
- 
- 	} else {
-+		if (hsk->length != recv_buf[pos].length) {
-+			/* inconsistent across fragments */
-+			_gnutls_handshake_buffer_clear(hsk);
-+			return gnutls_assert_val(
-+				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-+		}
-+		/* start_offset + data.length <= hsk->length <= max_length */
-+		if (hsk->length < hsk->start_offset + hsk->data.length) {
-+			/* impossible claims, overflow requested */
-+			_gnutls_handshake_buffer_clear(hsk);
-+			return gnutls_assert_val(
-+				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-+		}
-+		if (hsk->length > recv_buf[pos].data.max_length) {
-+			/* we don't have this much allocated, overflow guard */
-+			_gnutls_handshake_buffer_clear(hsk);
-+			return gnutls_assert_val(
-+				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
-+		}
+diff --git a/SPECS/gnutls/CVE-2026-33846.patch b/SPECS/gnutls/CVE-2026-33846.patch
+new file mode 100644
+index 00000000000..b06a6a88f2d
+--- /dev/null
++++ b/SPECS/gnutls/CVE-2026-33846.patch
+@@ -0,0 +1,63 @@
++From 65ab33fa54e34fba69d793735b7df3d383d1ff78 Mon Sep 17 00:00:00 2001
++From: Alexander Sosedkin <asosedkin@redhat.com>
++Date: Fri, 17 Apr 2026 18:21:36 +0200
++Subject: [PATCH] buffers: add more checks to DTLS reassembly
 +
- 		if (hsk->start_offset < recv_buf[pos].start_offset &&
- 		    hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
- 			memcpy(&recv_buf[pos].data.data[hsk->start_offset],
--- 
-GitLab
-
++Previously, gnutls didn't check that DTLS fragments claimed
++a consistent message_length value.
++Additionally, a crucial array size check was missing,
++enabling an attacker to cause a heap overwrite.
++The updated version rejects fragments with mismatching length
++and adds a missing boundary check.
++
++Reported-by: Haruto Kimura (Stella)
++Reported-by: Oscar Reparaz
++Reported-by: Zou Dikai
++Fixes: #1816
++Fixes: #1838
++Fixes: #1839
++Fixes: CVE-2026-33846
++Fixes: GNUTLS-SA-2026-04-29-1
++CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
++CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
++Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
++
++Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78.patch
++---
++ lib/buffers.c | 20 ++++++++++++++++++++
++ 1 file changed, 20 insertions(+)
++
++diff --git a/lib/buffers.c b/lib/buffers.c
++index 672380b..0f6ae1c 100644
++--- a/lib/buffers.c
+++++ b/lib/buffers.c
++@@ -1009,6 +1009,26 @@ static int merge_handshake_packet(gnutls_session_t session,
++ 			&session->internals.handshake_recv_buffer[pos], hsk);
++ 
++ 	} else {
+++		if (hsk->length != session->internals.handshake_recv_buffer[pos].length) {
+++			/* inconsistent across fragments */
+++			_gnutls_handshake_buffer_clear(hsk);
+++			return gnutls_assert_val(
+++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+++		}
+++		/* start_offset + data.length <= hsk->length <= max_length */
+++		if (hsk->length < hsk->start_offset + hsk->data.length) {
+++			/* impossible claims, overflow requested */
+++			_gnutls_handshake_buffer_clear(hsk);
+++			return gnutls_assert_val(
+++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+++		}
+++		if (hsk->length > session->internals.handshake_recv_buffer[pos].data.max_length) {
+++			/* we don't have this much allocated, overflow guard */
+++			_gnutls_handshake_buffer_clear(hsk);
+++			return gnutls_assert_val(
+++				GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
+++		}
+++
++ 		if (hsk->start_offset <
++ 			    session->internals.handshake_recv_buffer[pos]
++ 				    .start_offset &&
++-- 
++2.45.4
++

--- upstream
+++ pr
@@ -1,46 +1,76 @@
-From 731861b9de8dccaf7d3b0c1446833051e48670c2 Mon Sep 17 00:00:00 2001
-From: Alexander Sosedkin <asosedkin@redhat.com>
-Date: Thu, 12 Mar 2026 09:48:57 +0100
-Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass
-
-In check_ocsp_response(), the code first searched
-for the SingleResponse that matches the certificate being validated.
-But later, the status was retrieved from entry 0 unconditionally,
-rather than from the matched resp_indx.
-As a result, if entry 0 corresponded to a different certificate and was good,
-while the matched entry for the peer certificate is revoked,
-the revocation check could've mistakenly accept the certificate.
-
-Reported-by: Oleh Konko (1seal) <security@1seal.org>
-Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
-Fixes: #1801
-Fixes: #1812
-Fixes: CVE-2026-3832
-Fixes: GNUTLS-SA-2026-04-29-12
-CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
-Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
-Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
----
- lib/cert-session.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/lib/cert-session.c b/lib/cert-session.c
-index 34a15b19eb..b8a70ad00e 100644
---- a/lib/cert-session.c
-+++ b/lib/cert-session.c
-@@ -343,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
- 		goto cleanup;
- 	}
- 
--	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
--					  &cert_status, &vtime, &ntime, &rtime,
--					  NULL);
-+	ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL,
-+					  NULL, &cert_status, &vtime, &ntime,
-+					  &rtime, NULL);
- 	if (ret < 0) {
- 		_gnutls_audit_log(
- 			session,
--- 
-GitLab
-
+diff --git a/SPECS/gnutls/CVE-2026-3832.patch b/SPECS/gnutls/CVE-2026-3832.patch
+new file mode 100644
+index 00000000000..f04a937cbd1
+--- /dev/null
++++ b/SPECS/gnutls/CVE-2026-3832.patch
+@@ -0,0 +1,70 @@
++From 731861b9de8dccaf7d3b0c1446833051e48670c2 Mon Sep 17 00:00:00 2001
++From: Alexander Sosedkin <asosedkin@redhat.com>
++Date: Thu, 12 Mar 2026 09:48:57 +0100
++Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass
++
++In check_ocsp_response(), the code first searched
++for the SingleResponse that matches the certificate being validated.
++But later, the status was retrieved from entry 0 unconditionally,
++rather than from the matched resp_indx.
++As a result, if entry 0 corresponded to a different certificate and was good,
++while the matched entry for the peer certificate is revoked,
++the revocation check could've mistakenly accept the certificate.
++
++Reported-by: Oleh Konko (1seal) <security@1seal.org>
++Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
++Fixes: #1801
++Fixes: #1812
++Fixes: CVE-2026-3832
++Fixes: GNUTLS-SA-2026-04-29-12
++CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
++Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
++Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
++
++Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2.patch
++---
++ lib/cert-session.c | 14 +++++++++-----
++ 1 file changed, 9 insertions(+), 5 deletions(-)
++
++diff --git a/lib/cert-session.c b/lib/cert-session.c
++index 5a4b997..53de6f1 100644
++--- a/lib/cert-session.c
+++++ b/lib/cert-session.c
++@@ -236,7 +236,7 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
++ {
++ 	gnutls_ocsp_resp_t resp;
++ 	int ret;
++-	unsigned int status, cert_status;
+++	unsigned int status, cert_status, resp_indx;
++ 	time_t rtime, vtime, ntime, now;
++ 	int check_failed = 0;
++ 
++@@ -277,7 +277,11 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
++ 		goto cleanup;
++ 	}
++ 
++-	ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);
+++	for (resp_indx = 0;; resp_indx++) {
+++		ret = gnutls_ocsp_resp_check_crt(resp, resp_indx, cert);
+++		if (ret == 0 || ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+++			break;
+++	}
++ 	if (ret < 0) {
++ 		ret = gnutls_assert_val(0);
++ 		_gnutls_audit_log(
++@@ -339,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
++ 		goto cleanup;
++ 	}
++ 
++-	ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
++-					  &cert_status, &vtime, &ntime, &rtime,
++-					  NULL);
+++	ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL,
+++					  NULL, &cert_status, &vtime, &ntime,
+++					  &rtime, NULL);
++ 	if (ret < 0) {
++ 		_gnutls_audit_log(
++ 			session,
++-- 
++2.45.4
++

---

Verdict

❌ CHANGES REQUESTED — Please address the issues flagged above.