diff --git a/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch b/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch new file mode 100644 index 0000000000..c7a09eae3b --- /dev/null +++ b/meta-oe/recipes-crypto/botan/botan/CVE-2026-34582.patch @@ -0,0 +1,28 @@ +From daf4c8c148165a7c316d816d2bcdc25ba1f6887d Mon Sep 17 00:00:00 2001 +From: Jack Lloyd +Date: Sun, 29 Mar 2026 08:25:18 -0400 +Subject: [PATCH] In TLS 1.3 require that the handshake is completed prior to + application data + +CVE: CVE-2026-34582 +Upstream-Status: Backport [https://github.com/randombit/botan/commit/4190398599413373f55b1073ac06fefd494af8c6] +Signed-off-by: Gyorgy Sarvari +--- + src/lib/tls/tls13/tls_channel_impl_13.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/lib/tls/tls13/tls_channel_impl_13.cpp b/src/lib/tls/tls13/tls_channel_impl_13.cpp +index 82a8e38..eee9bad 100644 +--- a/src/lib/tls/tls13/tls_channel_impl_13.cpp ++++ b/src/lib/tls/tls13/tls_channel_impl_13.cpp +@@ -163,6 +163,10 @@ size_t Channel_Impl_13::from_peer(std::span data) { + } else if(record.type == Record_Type::ChangeCipherSpec) { + process_dummy_change_cipher_spec(); + } else if(record.type == Record_Type::ApplicationData) { ++ BOTAN_ASSERT_NONNULL(m_cipher_state); ++ if(!m_cipher_state->can_decrypt_application_traffic()) { ++ throw Unexpected_Message("Application data received before handshake completion"); ++ } + BOTAN_ASSERT(record.seq_no.has_value(), "decrypted application traffic had a sequence number"); + callbacks().tls_record_received(record.seq_no.value(), record.fragment); + } else if(record.type == Record_Type::Alert) { diff --git a/meta-oe/recipes-crypto/botan/botan_3.10.0.bb b/meta-oe/recipes-crypto/botan/botan_3.10.0.bb index 0986a76557..bedc49f714 100644 --- a/meta-oe/recipes-crypto/botan/botan_3.10.0.bb +++ b/meta-oe/recipes-crypto/botan/botan_3.10.0.bb @@ -8,6 +8,7 @@ SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz \ file://CVE-2026-32877.patch \ file://CVE-2026-32883.patch \ file://CVE-2026-32884.patch \ + file://CVE-2026-34582.patch \ " SRC_URI[sha256sum] = "fde194236f6d5434f136ea0a0627f6cc9d26af8b96e9f1e1c7d8c82cd90f4f24"