Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 511840 (CVE-2014-3466)

Summary: <net-libs/gnutls-2.12.23-r6: vulnerable to memory corruption for specially crafted Server Hello (CVE-2014-{3465,3466})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled, hyedad, john_r_graham
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-05-30 08:41:57 UTC 
GNUTLS-SA-2014-3
CVE-2014-3466 Memory corruption 	

This vulnerability affects the client side of the gnutls library. A server that a specially crafted ServerHello could corrupt the memory of a requesting client.

Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.3)

Reproducible: Always
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-05-30 13:45:46 UTC 
Thank you for report K_F.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-05-30 18:33:04 UTC 
See also https://bugzilla.redhat.com/show_bug.cgi?id=1101734 re CVE-2014-3465
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-05-31 08:46:52 UTC 
gnutls just released Version 3.3.4 (released 2014-05-31)

** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.

So probably best to move directly to 3.3.4 skipping 3.3.3
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-01 19:48:17 UTC 
2.x series is not affected by CVE-2014-3465 as the affected function was introduced in GnuTLS version 3.0: http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fdn_005foid_005fname-1

Still trying to confirm when CVE-2014-3466 was introduced.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-01 20:03:27 UTC 
At least 2.12.23 seems affected by CVE-2014-3466, upstream has fixed this with the two commits 
https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd and https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd 

and related https://www.gitorious.org/gnutls/gnutls/commit/1375d4e6d7bb969bf6c91ad78be41698073070f3 

So a temporary work-around might be to backport those commits.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-02 05:41:32 UTC 
As the 2.x series use an embedded libtasn certain fixes needs to be applied to handle bug 511536 as well if backporting is used. 

See also http://seclists.org/oss-sec/2014/q2/395
Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-07 18:17:20 UTC 
Added, from[1]

gnutls-2.12.23-CVE-2014-3466.patch
gnutls-2.12.23-CVE-2014-3467.patch
gnutls-2.12.23-CVE-2014-3468.patch
gnutls-2.12.23-CVE-2014-3469.patch

[1] http://seclists.org/oss-sec/2014/q2/395
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-09 12:50:33 UTC 
Thanks. 

Arches, please stabilize

=net-libs/gnutls-2.12.23-r6

Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-09 12:52:12 UTC 
Since patches are backported to 2.x series this bug no longer depends on gnutls 3 stabilization
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2014-06-09 19:13:05 UTC 
Stable for HPPA.
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:45:31 UTC 
amd64 srable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:47:28 UTC 
x86 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:49:06 UTC 
arm stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:24:14 UTC 
alpha stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:31:15 UTC 
sparc stable
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:43:02 UTC 
ia64 stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:43:39 UTC 
ppc64/ppc stable
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:46:18 UTC 
Added to existing glsa request.

Cleanup, please!
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-10 07:47:35 UTC 
CVE-2014-3466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3466):
  Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c
  in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows
  remote servers to cause a denial of service (memory corruption) or possibly
  execute arbitrary code via a long session id in a ServerHello message.
Comment 20 Alon Bar-Lev (RETIRED) gentoo-dev 2014-06-10 07:50:39 UTC 
(In reply to Mikle Kolyada from comment #18)
> Added to existing glsa request.
> 
> Cleanup, please!

done
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 19:52:07 UTC 
This issue was resolved and addressed in
 GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml
by GLSA coordinator Mikle Kolyada (Zlogene).