Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245850 (CVE-2008-4989) - net-libs/gnutls <2.4.1-r2 Failure to check certificates (CVE-2008-4989)
Summary: net-libs/gnutls <2.4.1-r2 Failure to check certificates (CVE-2008-4989)
Status: RESOLVED FIXED
Alias: CVE-2008-4989
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://article.gmane.org/gmane.comp.e...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 246976
Blocks:
  Show dependency tree
 
Reported: 2008-11-06 17:55 UTC by Robert Buchholz (RETIRED)
Modified: 2009-01-14 22:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gnutls-2.2.5-selfsigned-trust.patch (gnutls-2.2.5-selfsigned-trust.patch,1.81 KB, patch)
2008-11-06 17:58 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
gnutls-2.2.5-selfsigned-trust.patch (gnutls-2.2.5-selfsigned-trust.patch,1.81 KB, text/plain)
2008-11-06 20:19 UTC, Daniel Black (RETIRED)
no flags Details
gnutls-2.2.5-selfsigned-trust.patch (gnutls-2.2.5-selfsigned-trust.patch,1.21 KB, patch)
2008-11-07 05:54 UTC, Daniel Black (RETIRED)
no flags Details | Diff
gnutls-2.4.1-r1.ebuild (gnutls-2.4.1-r1.ebuild,2.06 KB, text/plain)
2008-11-07 07:20 UTC, Jeroen Roovers (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-06 17:55:37 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Martin von Gagern discovered that GnuTLS allows man in the middle attacks via self-signed certificates that are appended at a certificate chain.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-06 17:58:19 UTC
Created attachment 170927 [details, diff]
gnutls-2.2.5-selfsigned-trust.patch

Upstream approved patch.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-11-06 18:00:45 UTC
Daniel, can you prepare an ebuild with the patch and attach it to this bug. Do not commit anything to CVS, we will handle prestable testing on this bug.
Comment 3 Daniel Black (RETIRED) gentoo-dev 2008-11-06 20:19:41 UTC
Created attachment 170942 [details]
gnutls-2.2.5-selfsigned-trust.patch

contains whitespace correction.

epatch "${FILESDIR}"/${P}-selfsigned-trust.patch
 or 
epatch "${FILESDIR}"/${PN}-2.2.5-selfsigned-trust.patch

is sufficient. I've tested this patch applied before the other patches for all versions though I doubt there will be conflicts.

note gnutls-2.6.0 has a openpgp selftest failure and the test has been determined to be the problem (https://savannah.gnu.org/support/?106543).

I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll purge gnutls-2.4.1 and all will be good. Acceptable?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-11-07 00:40:32 UTC
(In reply to comment #3)
> contains whitespace correction.

Sorry, I accidently attached the unclean patch even though I corrected the whitespace myself :-/

> I'm happy for either of gnutls-2.2.5-r1 or gnutls-2.4.1-r1 to go stable (as
> amended) so for the sec advisory can we just list >=gnutls-2.2.5-r1 and I'll
> purge gnutls-2.4.1 and all will be good. Acceptable?

Yes, fine with me. As it might be preferable to have the same version stable across all arches, and since 2.4.1 is in the tree for several months now, let's go with:
 =net-libs/gnutls-2.4.1-r1

Arch Security Liaisons, please test and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2008-11-07 00:51:14 UTC
What am I missing?  Do we make our own ebuild for gnutls-2.4.1-r1 or what?
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-07 05:30:48 UTC
Hmm, I tried attachment #170942 [details] but it failed to apply to 2.4.1:

PATCH COMMAND:   patch -p1 -g0 -E --no-backup-if-mismatch < /keeps/gentoo/local/
net-libs/gnutls/files/gnutls-2.2.5-selfsigned-trust.patch

===============================================
patching file lib/x509/verify.c
Hunk #1 succeeded at 376 (offset 2 lines).
Hunk #2 FAILED at 425.
1 out of 2 hunks FAILED -- saving rejects to file lib/x509/verify.c.rej
===============================================
Comment 7 Daniel Black (RETIRED) gentoo-dev 2008-11-07 05:54:19 UTC
Created attachment 170962 [details, diff]
gnutls-2.2.5-selfsigned-trust.patch

did the dumb thing and uploaded the same file I downloaded. Sorry folks.

If I did it again:
EPATCH_OPTS="--ignore-whitespace" \
      epatch ...

Sorry this is a vendor sec roll your own
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-07 07:20:57 UTC
Created attachment 170965 [details]
gnutls-2.4.1-r1.ebuild
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-11-07 13:18:51 UTC
Thanks, Jeroen.  Stable for sparc.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-07 16:51:44 UTC
HPPA is OK.
Comment 11 Markus Meier gentoo-dev 2008-11-08 15:24:14 UTC
looks good on amd64/x86. please note:

dodoc: doc/tex/gnutls.ps does not exist
>>> Completed installing gnutls-2.4.1-r1 into /var/tmp/portage/net-libs/gnutls-2.4.1-r1/image/
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-11-08 17:28:00 UTC
Looks okay on alpha/ia64/sparc
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-11-10 13:19:57 UTC
This is now public, please commit with the keywords gathered in this bug.
Comment 14 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-10 15:03:59 UTC
(In reply to comment #13)
> This is now public, please commit with the keywords gathered in this bug.
Committed to the tree.

Stable: alpha amd64 hppa ia64 sparc x86

Remaining arches, please test and mark stable:
Remaining targets: arm m68k ppc ppc64 s390 sh
Comment 15 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-10 15:32:29 UTC
(In reply to comment #14)
> Remaining arches, please test and mark stable:
> Remaining targets: arm m68k ppc ppc64 s390 sh
=net-libs/gnutls-2.4.1-r1, that is.

Daniel, please fix ~arch as well now, either by patching or bumping to 2.6.1 (thanks to Arfrever, who reminded me on IRC).
Comment 16 Daniel Black (RETIRED) gentoo-dev 2008-11-10 19:56:35 UTC
ebuilds fixed >=gnutls-2.4.1-r1 is fixed from this vulnerability. Thanks all. good work.
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2008-11-12 18:28:14 UTC
ppc64 stable
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 17:58:48 UTC
ppc stable
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2008-11-17 15:23:34 UTC
May I interrupt you here.  It seems the fix causes bug 246976, which has been refixed by gnutls upstream.  Could we reiterate the whole process please.
Comment 20 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-17 16:34:24 UTC
Back to [ebuild] then, waiting for a regression-free version...
Comment 21 Daniel Black (RETIRED) gentoo-dev 2008-11-18 12:00:16 UTC
(In reply to comment #20)
> Back to [ebuild] then, waiting for a regression-free version...

Thanks folks. Regression free versions of gnutls-2.4.1-r2.ebuild and gnutls-2.6.0-r2.ebuild added. regression versions of -r1 removed. All stable - the first chunk of the original patch was removed - risk of stable failing this time is very small idead.
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 17:26:39 UTC
ready for vote, YES
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-30 19:05:43 UTC
YES too, request filed.
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-12 23:21:49 UTC
As for me is a B4. Comment if you disagree.

And Severity for B3 = Severity for B4 = Minor.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-14 22:58:43 UTC
GLSA 200901-10