[AUTO-CHERRYPICK] [AutoPR- Security] Patch gnutls for CVE-2025-6395 - branch 3.0-dev (microsoft#14298)

Co-authored-by: Azure Linux Security Servicing Account <[email protected]>

Author: CBL-Mariner-Bot

SPECS/gnutls/CVE-2025-6395.patch

@@ -0,0 +1,73 @@
+From 001a6b04cfea193c4e3073d002a5cb7058d01714 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <[email protected]>
+Date: Tue, 15 Jul 2025 05:54:27 +0000
+Subject: [PATCH] Fix CVE CVE-2025-6395 in gnutls
+
+Upstream Patch Reference: https://gitlab.com/gnutls/gnutls/-/commit/23135619773e6ec087ff2abc65405bd4d5676bad.patch
+---
+ lib/handshake.c | 25 ++++++++++++++++++++++---
+ lib/state.c     |  4 +++-
+ 2 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/lib/handshake.c b/lib/handshake.c
+index 722307b..489d021 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -589,9 +589,28 @@ static int set_auth_types(gnutls_session_t session)
+ 		/* Under TLS1.3 this returns a KX which matches the negotiated
+ 		 * groups from the key shares; if we are resuming then the KX seen
+ 		 * here doesn't match the original session. */
+-		if (!session->internals.resumed)
+-			kx = gnutls_kx_get(session);
+-		else
++		if (!session->internals.resumed) {
++			const gnutls_group_entry_st *group = get_group(session);
++
++			if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
++				if (group) {
++					kx = group->pk == GNUTLS_PK_DH ?
++						     GNUTLS_KX_DHE_PSK :
++						     GNUTLS_KX_ECDHE_PSK;
++				} else {
++					kx = GNUTLS_KX_PSK;
++				}
++			} else if (group) {
++				/* Not necessarily be RSA, but just to
++				 * make _gnutls_map_kx_get_cred below
++				 * work.
++				 */
++				kx = group->pk == GNUTLS_PK_DH ?
++					     GNUTLS_KX_DHE_RSA :
++					     GNUTLS_KX_ECDHE_RSA;
++			} else
++				kx = GNUTLS_KX_UNKNOWN;
++		} else
+ 			kx = GNUTLS_KX_UNKNOWN;
+ 	} else {
+ 		/* TLS1.2 or earlier, kx is associated with ciphersuite */
+diff --git a/lib/state.c b/lib/state.c
+index ec514c0..10ec0ea 100644
+--- a/lib/state.c
++++ b/lib/state.c
+@@ -202,7 +202,8 @@ gnutls_kx_algorithm_t gnutls_kx_get(gnutls_session_t session)
+ 		const gnutls_group_entry_st *group = get_group(session);
+ 
+ 		if (ver->tls13_sem) {
+-			if (session->internals.hsk_flags & HSK_PSK_SELECTED) {
++			if (gnutls_auth_client_get_type(session) ==
++			    GNUTLS_CRD_PSK) {
+ 				if (group) {
+ 					if (group->pk == GNUTLS_PK_DH)
+ 						return GNUTLS_KX_DHE_PSK;
+@@ -349,6 +350,7 @@ void reset_binders(gnutls_session_t session)
+ 	_gnutls_free_temp_key_datum(&session->key.binders[0].psk);
+ 	_gnutls_free_temp_key_datum(&session->key.binders[1].psk);
+ 	memset(session->key.binders, 0, sizeof(session->key.binders));
++	session->internals.hsk_flags &= ~HSK_PSK_SELECTED;
+ }
+ 
+ /* Check whether certificate credentials of type @cert_type are set
+-- 
+2.45.3
+

SPECS/gnutls/gnutls.spec

@@ -1,7 +1,7 @@
 Summary:        The GnuTLS Transport Layer Security Library
 Name:           gnutls
 Version:        3.8.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv3+ AND LGPLv2.1+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch4:         CVE-2024-12243.patch
 Patch5:         CVE-2025-32990.patch
 Patch6:         CVE-2025-32989.patch
 Patch7:         CVE-2025-32988.patch
+Patch8:         CVE-2025-6395.patch
 BuildRequires:  autogen-libopts-devel
 BuildRequires:  gc-devel
 BuildRequires:  libtasn1-devel
@@ -98,6 +99,9 @@ sed -i 's/TESTS += test-ciphers-openssl.sh//'  tests/slow/Makefile.am
 %{_mandir}/man3/*
 
 %changelog
+* Tue Jul 15 2025 Azure Linux Security Servicing Account <[email protected]> - 3.8.3-6
+- Patch for CVE-2025-6395
+
 * Mon Jul 14 2025 Azure Linux Security Servicing Account <[email protected]> - 3.8.3-5
 - Patch for CVE-2025-32990, CVE-2025-32989, CVE-2025-32988