Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 681846 (CVE-2019-3829, CVE-2019-3836, GNUTLS-SA-2019-03-27)

Summary: <net-libs/gnutls-3.6.7: multiple vulnerabilities (GNUTLS-SA-2019-03-27)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alonbl, crypto+disabled
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
URL: https://lists.gnupg.org/pipermail/gnutls-help/2019-March/004497.html
Whiteboard: A2 [glsa+ cve stable]
Package list:
=net-libs/gnutls-3.6.7 alpha amd64 arm arm64 hppa ia64 ppc ppc64 s390 sparc x86
 Runtime testing required: ---
Bug Depends on: 677430, 681096    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-27 09:35:30 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 09:37:45 UTC 
It was found using the TLS fuzzer tools that decoding a malformed TLS1.3 asynchronous message can cause a server crash via an invalid pointer access. The issue affects GnuTLS server applications since 3.6.4. The issue was reported in issue tracker as #704.

Tavis Ormandy from Google Project Zero found a memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. The issue was reported in issue tracker as #694.

Recommendation: To address the issues found upgrade to GnuTLS 3.6.7 or later versions.
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2019-03-27 11:37:51 UTC 
I version bumped the gnutls, but the changes are not trivial, I suggest to wait about a week before stabilizing.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 02:41:39 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself, when ready.
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2019-04-01 06:01:28 UTC 
Let's stabilize.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-01 07:19:24 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-01 17:22:48 UTC 
x86 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-02 09:50:31 UTC 
s390 stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-03 07:11:35 UTC 
arm stable
Comment 9 Rolf Eike Beer archtester 2019-04-06 10:22:58 UTC 
sparc stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-06 13:38:46 UTC 
alpha stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 10:52:19 UTC 
alpha stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:44:50 UTC 
ia64 stable
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:53:34 UTC 
ppc64 stable
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:20:19 UTC 
ppc stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-11 13:58:29 UTC 
hppa stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-04-15 20:48:16 UTC 
This issue was resolved and addressed in
 GLSA 201904-14 at https://security.gentoo.org/glsa/201904-14
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2019-04-15 20:48:44 UTC 
re-opened for final arches and cleanup.
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2019-04-16 23:37:03 UTC 
arm64 stable
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 11:37:54 UTC 
arm stable