Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622038 (CVE-2017-7507)

Summary: <net-libs/gnutls-3.5.13: Crash upon receiving well-formed status_request extension
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alonbl, crypto+disabled, jstein
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.gnutls.org/security.html#GNUTLS-SA-2017-4
Whiteboard: A3 [glsa cve ]
Package list:
=net-libs/gnutls-3.5.13 alpha amd64 arm ia64 ppc ppc64 x86
Runtime testing required: ---

Description Ian Zimmerman 2017-06-17 17:57:16 UTC
According to the RH summary [1]:

It was found that GnuTLS would crash when receiving a client hello message with status_request extension that has a non-empty responder_id_list.

Upstream ref [2]

Upstream patch [3] [4]

-- 

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7507

[2]
https://gnutls.org/security.html#GNUTLS-SA-2017-4

[3]
https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b

[4]
https://gitlab.com/gnutls/gnutls/commit/3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03
Comment 1 Alon Bar-Lev gentoo-dev 2017-06-17 18:57:58 UTC
We can stabilize net-libs/gnutls-3.5.13
Comment 2 Sergei Trofimovich gentoo-dev 2017-06-18 12:10:23 UTC
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-18 14:03:11 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-20 07:02:42 UTC
x86 stable
Comment 5 Tobias Klausmann gentoo-dev 2017-06-20 15:01:23 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:06:17 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:19:09 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Alon Bar-Lev gentoo-dev 2017-06-21 15:09:22 UTC
I am very sorry, but arm stabilize lately the older package in bug#612340, so need this one as well.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-17 19:56:54 UTC
New GLSA Request filed.

@Maintainers, please proceed to cleanup.

Gentoo Security Padawan
ChrisADR
Comment 10 Alon Bar-Lev gentoo-dev 2017-09-18 22:28:04 UTC
(In reply to Alon Bar-Lev from comment #8)
> I am very sorry, but arm stabilize lately the older package in bug#612340,
> so need this one as well.

I updated the keywords and forgot to add CC, sorry!
Comment 11 Alon Bar-Lev gentoo-dev 2017-10-07 08:05:34 UTC
arm, please?
Comment 12 Markus Meier gentoo-dev 2017-10-14 06:16:14 UTC
arm stable, all arches done.
Comment 13 Alon Bar-Lev gentoo-dev 2017-10-14 06:34:47 UTC
Thanks!

ebuild was removed.
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-14 12:53:41 UTC
Thank you all.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-10-15 04:21:23 UTC
This issue was resolved and addressed in
 GLSA 201710-15 at https://security.gentoo.org/glsa/201710-15
by GLSA coordinator Aaron Bauman (b-man).