Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 831573 (GNUTLS-SA-2022-01-17)

Summary: <net-libs/gnutls-3.7.3: Memory corruption in gnutls_x509_trust_list_verify_crt2()
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.com/gnutls/gnutls/-/issues/1277
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 834462    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-20 11:24:57 UTC 
"When a single trust list object is shared among multiple threads, calls to gnutls_x509_trust_list_verify_crt2() was able to corrupt temporary memory where internal copy of an issuer certificate is stored. The code path is only taken when a PKCS#11 based trust store is enabled and the issuer certificate is already stored as trusted. The issue was reported in the issue tracker as #1277.
Recommendation: To address the issue found upgrade to GnuTLS 3.7.3 or later versions."

See https://gitlab.com/gnutls/gnutls/-/issues/1277.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-20 12:08:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd7f6673d01d4af7f1bcc9b3ca707b98d679cd5c

commit cd7f6673d01d4af7f1bcc9b3ca707b98d679cd5c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-20 11:39:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-20 12:02:04 +0000

    net-libs/gnutls: add 3.7.3
    
    Bug: https://bugs.gentoo.org/831573
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   1 +
 net-libs/gnutls/gnutls-3.7.3.ebuild | 127 ++++++++++++++++++++++++++++++++++++
 2 files changed, 128 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-19 18:19:40 UTC 
Please cleanup
Comment 3 Hans de Graaff gentoo-dev Security 2024-01-21 14:01:46 UTC 
commit 7b287cd440224ce96f7353353269c3ccada4ad55
Author: David Seifert <soap@gentoo.org>
Date:   Tue Jun 21 11:40:24 2022 +0200

    net-libs/gnutls: drop 3.7.2, 3.7.3-r1, 3.7.5
Comment 4 Larry the Git Cow gentoo-dev 2024-03-22 05:05:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ebf59f39cd74d9f923e58850ec66b51ab32bfb7

commit 6ebf59f39cd74d9f923e58850ec66b51ab32bfb7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-03-22 05:04:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-22 05:04:30 +0000

    net-libs/gnutls: drop 3.7.6, 3.7.7
    
    Bug: https://bugs.gentoo.org/831573
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   4 --
 net-libs/gnutls/gnutls-3.7.6.ebuild | 139 -----------------------------------
 net-libs/gnutls/gnutls-3.7.7.ebuild | 140 ------------------------------------
 3 files changed, 283 deletions(-)