From 608829769cbc247679ffe98841109fc73875e573 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 7 Jul 2025 10:44:12 +0900 Subject: [PATCH] x509: avoid double free when exporting othernames in SAN Previously, the _gnutls_write_new_othername function, called by gnutls_x509_ext_export_subject_alt_names to export "otherName" in a certificate's SAN extension, freed the caller allocated ASN.1 structure upon error, resulting in a potential double-free. Reported by OpenAI Security Research Team. Signed-off-by: Daiki Ueno CVE: CVE-2025-32988 Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573] Signed-off-by: Peter Marko --- NEWS | 5 +++++ lib/x509/extensions.c | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 025e05148..ff289fa75 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,11 @@ See the end for copying conditions. and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1, CVSS: medium] [CVE-2025-32989] +** libgnutls: Fix double-free upon error when exporting otherName in SAN + Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2, + CVSS: low] [CVE-2025-32988] + + * Version 3.8.4 (released 2024-03-18) ** libgnutls: RSA-OAEP encryption scheme is now supported diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index 6c2da8fd1..e8be12eaf 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -754,7 +754,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, result = asn1_write_value(ext, name2, oid, 1); if (result != ASN1_SUCCESS) { gnutls_assert(); - asn1_delete_structure(&ext); return _gnutls_asn2err(result); } @@ -763,7 +762,6 @@ int _gnutls_write_new_othername(asn1_node ext, const char *ext_name, result = asn1_write_value(ext, name2, data, data_size); if (result != ASN1_SUCCESS) { gnutls_assert(); - asn1_delete_structure(&ext); return _gnutls_asn2err(result); }