Summary: | <net-libs/gnutls-2.12.23-r6: vulnerable to memory corruption for specially crafted Server Hello (CVE-2014-{3465,3466}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | alonbl, crypto+disabled, hyedad, john_r_graham |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
![]() Thank you for report K_F. See also https://bugzilla.redhat.com/show_bug.cgi?id=1101734 re CVE-2014-3465 gnutls just released Version 3.3.4 (released 2014-05-31) ** libgnutls: Updated Andy Polyakov's assembly code. That prevents a crash on certain CPUs. So probably best to move directly to 3.3.4 skipping 3.3.3 2.x series is not affected by CVE-2014-3465 as the affected function was introduced in GnuTLS version 3.0: http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fdn_005foid_005fname-1 Still trying to confirm when CVE-2014-3466 was introduced. At least 2.12.23 seems affected by CVE-2014-3466, upstream has fixed this with the two commits https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd and https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd and related https://www.gitorious.org/gnutls/gnutls/commit/1375d4e6d7bb969bf6c91ad78be41698073070f3 So a temporary work-around might be to backport those commits. As the 2.x series use an embedded libtasn certain fixes needs to be applied to handle bug 511536 as well if backporting is used. See also http://seclists.org/oss-sec/2014/q2/395 Added, from[1] gnutls-2.12.23-CVE-2014-3466.patch gnutls-2.12.23-CVE-2014-3467.patch gnutls-2.12.23-CVE-2014-3468.patch gnutls-2.12.23-CVE-2014-3469.patch [1] http://seclists.org/oss-sec/2014/q2/395 Thanks. Arches, please stabilize =net-libs/gnutls-2.12.23-r6 Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Since patches are backported to 2.x series this bug no longer depends on gnutls 3 stabilization Stable for HPPA. amd64 srable x86 stable arm stable alpha stable sparc stable ia64 stable ppc64/ppc stable Added to existing glsa request. Cleanup, please! CVE-2014-3466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3466): Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message. (In reply to Mikle Kolyada from comment #18) > Added to existing glsa request. > > Cleanup, please! done This issue was resolved and addressed in GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml by GLSA coordinator Mikle Kolyada (Zlogene). |