fix CVE-2021-4209

(cherry picked from commit 01c0665a60c5ef7b74433832b8adb698931bd551)

backport-CVE-2021-4209.patch

@@ -0,0 +1,32 @@
+From 3db352734472d851318944db13be73da61300568 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 22 Dec 2021 09:12:25 +0100
+Subject: [PATCH] wrap_nettle_hash_fast: avoid calling _update with zero-length
+ input
+
+As Nettle's hash update functions internally call memcpy, providing
+zero-length input may cause undefined behavior.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/nettle/mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/nettle/mac.c b/lib/nettle/mac.c
+index f9d4d7a8df..35e070fab0 100644
+--- a/lib/nettle/mac.c
++++ b/lib/nettle/mac.c
+@@ -788,7 +788,9 @@ static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	ctx.update(&ctx, text_size, text);
++	if (text_size > 0) {
++		ctx.update(&ctx, text_size, text);
++	}
+ 	ctx.digest(&ctx, ctx.length, digest);
+ 
+ 	return 0;
+-- 
+GitLab
+

gnutls.spec

@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.6.14
-Release: 8
+Release: 9
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -16,6 +16,7 @@ Patch5: backport-testpkcs11-use-datefudge-to-trick-certificate-expiry.patch
 Patch6: backport-CVE-2021-20231.patch
 Patch7: backport-CVE-2021-20232.patch
 Patch8: backport-CVE-2022-2509.patch
+Patch9: backport-CVE-2021-4209.patch
 
 %bcond_without dane
 %bcond_with guile
@@ -206,6 +207,9 @@ make check %{?_smp_mflags}
 %endif
 
 %changelog
+* Mon Aug 29 2022 yanglongkang <yanglongkang@h-partners.com> - 3.6.14-9
+- fix CVE-2021-4209
+
 * Fri Aug 5 2022 dongyuzhen <dongyuzhen@h-partners.com> - 3.6.14-8
 - fix CVE-2022-2509