949496 – (CVE-2024-12243, GNUTLS-SA-2025-02-07) <net-libs/gnutls-3.8.9: Denial of service

Bug 949496 (CVE-2024-12243, GNUTLS-SA-2025-02-07) - <net-libs/gnutls-3.8.9: Denial of service

Summary: <net-libs/gnutls-3.8.9: Denial of service

Status:	IN_PROGRESS

Alias:	CVE-2024-12243, GNUTLS-SA-2025-02-07

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [stable]
Keywords:

Depends on:	951584
Blocks:
	Show dependency tree

Reported:	2025-02-09 04:16 UTC by Sam James
Modified:	2025-03-19 02:02 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2025-02-09 04:16:16 UTC

From 3.8.9 NEWS:
```
+
+** libgnutls: Fix potential DoS in handling certificates with numerous name
+   constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
+   bundled copy of libtasn1 has also been updated to the latest 4.20.0
+   release to complete the fix.  Reported by Bing Shi (#1553).
+   [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
+
```

Comment 1 Larry the Git Cow gentoo-dev

2025-02-09 04:32:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5cabc75c42d547481b636a13c560ee7262daf401

commit 5cabc75c42d547481b636a13c560ee7262daf401
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2025-02-09 04:23:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-02-09 04:23:33 +0000

    net-libs/gnutls: add 3.8.9
    
    Bug: https://bugs.gentoo.org/949496
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   2 +
 net-libs/gnutls/gnutls-3.8.9.ebuild | 161 ++++++++++++++++++++++++++++++++++++
 2 files changed, 163 insertions(+)