commit 3b68043ef7e338118bce3ccdcbfafc8f005a6725
Author: Daiki Ueno <ueno@gnu.org>
Date:   Mon Jul 7 10:44:12 2025 +0900

    x509: avoid double free when exporting othernames in SAN
    
    Previously, the _gnutls_write_new_othername function, called by
    gnutls_x509_ext_export_subject_alt_names to export "otherName" in a
    certificate's SAN extension, freed the caller allocated ASN.1
    structure upon error, resulting in a potential double-free.
    
    Reported by OpenAI Security Research Team.
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>
    Backported-by: Alexander Sosedkin <asosedki@redhat.com>
    Backported-from: 608829769cbc247679ffe98841109fc73875e573
    Fixes: CVE-2025-32988

diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c
index c9fef21a12..c0acdf9a94 100644
--- a/lib/x509/extensions.c
+++ b/lib/x509/extensions.c
@@ -805,7 +805,6 @@ _gnutls_write_new_othername(ASN1_TYPE ext, const char *ext_name,
 	result = asn1_write_value(ext, name2, oid, 1);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
-		asn1_delete_structure(&ext);
 		return _gnutls_asn2err(result);
 	}
 
@@ -814,7 +813,6 @@ _gnutls_write_new_othername(ASN1_TYPE ext, const char *ext_name,
 	result = asn1_write_value(ext, name2, data, data_size);
 	if (result != ASN1_SUCCESS) {
 		gnutls_assert();
-		asn1_delete_structure(&ext);
 		return _gnutls_asn2err(result);
 	}