First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 90726
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Paul Querna <pquerna@apache.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 90726 depends on: Show dependency tree
Bug 90726 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-04-28 08:51 0000 
Announcement email:
http://lists.gnupg.org/pipermail/gnutls-dev/2005-April/000858.html

------- Comment #1 From Daniel Black 2005-04-28 13:39:28 0000 ------- 
*** Bug 90733 has been marked as a duplicate of this bug. ***

------- Comment #2 From Daniel Black 2005-04-28 15:33:18 0000 ------- 
added 1.2.3 and 1.0.25.

For the advisory can something like the following be scripted:

"Because of small API changes with the previous version please do the following to ensure your applications are using the latest gnutls that you just emerged.

revdep-rebuild --soname-regexp libgnutls.so.1[0-1] -- -p

If any packages are shown then do:

revdep-rebuild --soname-regexp libgnutls.so.1[0-1]

Arches although stabilising to 1.2.3 isn't required for the security bug Tom Martin <slarti> and myself would really appreciate it if you did. This is the recognised stable version upstream and very few problems have been reported on it (an none of them were the fault of gnutls). The main reason is I'd rather see the update occur with the clear instruction of the revdep-rebuild (in addition to the post install message).

Target:
1.0.25: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86

Requested target *please*:
1.2.3: x86 sparc ppc amd64 mips alpha ppc64

test strategy: Elfyn <beu> and I tested the gnutls by emerging gaim with the USE=gnutls flag and instigating an encrypted session.

------- Comment #3 From Markus Rothe 2005-04-29 01:26:45 0000 ------- 
stable on ppc64

------- Comment #4 From Michael Hanselmann (hansmi) (RETIRED) 2005-04-29 10:08:33 0000 ------- 
Already marked stable on ppc by dragonheart.

------- Comment #5 From Jan Brinkmann (RETIRED) 2005-04-29 10:52:59 0000 ------- 
stable on amd64

------- Comment #6 From Michael Hanselmann (hansmi) (RETIRED) 2005-04-29 12:34:08 0000 ------- 
Stable on hppa.

------- Comment #7 From Gustavo Zacarias (RETIRED) 2005-04-29 15:40:17 0000 ------- 
sparc stable.

------- Comment #8 From Bryan Østergaard (RETIRED) 2005-04-29 17:05:26 0000 ------- 
Alpha + ia64 stable.

------- Comment #9 From Luke Macken (RETIRED) 2005-04-29 17:11:58 0000 ------- 
Ready for GLSA.

------- Comment #10 From Daniel Black 2005-05-01 05:14:23 0000 ------- 
For the GLSA  put: emerge -C gnutls before emerging the new version.

As seen in bug 91012 this links to the old version.

------- Comment #11 From Daniel Black 2005-05-04 01:42:38 0000 ------- 
from:

news://news.gmane.org/gmane.network.gnutls.general

(http - http://news.gmane.org/gmane.network.gnutls.general isn't up to date yet)

Extract from news://

The problem was discovered by INL when we were studying a crash of
nuauth, a daemon which is part of the NuFW project
(http://www.nufw.org). During stress test we made on our solution, we
open a lot of tls sessions simultaneously (more than 200). After some
times the application crash with a segfault.

.
..
.
.
.
(detailed code analysis)
.
.
.

To sum up the error was the following : 

code computes value relative to the size of an array with two methods
without taking care that this could lead to out of the array indexes. In
fact, this is a case of badly checked entry from user (even it is really
low level). This bug is quiet severe as it should be easy to forge a
packet where the two values are different.

As gnutls_decrypt is called as soon as the application try to handshake,
the bug can be exploited by unauthenticated users. So theoritically all
applications running gnutls are vulnerable to this distant denial of
service available even for unauthenticated users.

BR,

------- Comment #12 From Daniel Black 2005-05-04 01:42:38 0000 ------- 
from:

news://news.gmane.org/gmane.network.gnutls.general

(http - http://news.gmane.org/gmane.network.gnutls.general isn't up to date yet)

Extract from news://

The problem was discovered by INL when we were studying a crash of
nuauth, a daemon which is part of the NuFW project
(http://www.nufw.org). During stress test we made on our solution, we
open a lot of tls sessions simultaneously (more than 200). After some
times the application crash with a segfault.

.
..
.
.
.
(detailed code analysis)
.
.
.

To sum up the error was the following : 

code computes value relative to the size of an array with two methods
without taking care that this could lead to out of the array indexes. In
fact, this is a case of badly checked entry from user (even it is really
low level). This bug is quiet severe as it should be easy to forge a
packet where the two values are different.

As gnutls_decrypt is called as soon as the application try to handshake,
the bug can be exploited by unauthenticated users. So theoritically all
applications running gnutls are vulnerable to this distant denial of
service available even for unauthenticated users.

BR,
Éric Leblond, eleblond@inl.fr
Téléphone : 01 44 89 46 40, Fax : 01 44 89 45 01
INL, http://www.inl.fr

------- Comment #13 From Matthias Geerdsen 2005-05-09 02:06:19 0000 ------- 
GLSA 200505-04

Versions will have to be corrected in case a newer 1.0.x ebuild gets committed or it will appear vulnerable.

------- Comment #14 From Hardave Riar (RETIRED) 2005-07-03 14:21:55 0000 ------- 
Stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug