Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501282 (CVE-2014-1959) - <net-libs/gnutls-2.12.23-r4: certificate verification flaw (GNUTLS-SA-2014-1) (CVE-2014-1959)
Summary: <net-libs/gnutls-2.12.23-r4: certificate verification flaw (GNUTLS-SA-2014-1)...
Status: RESOLVED FIXED
Alias: CVE-2014-1959
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-14 10:18 UTC by Agostino Sarubbo
Modified: 2016-08-11 11:17 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-14 10:18:49 UTC
From ${URL} :

It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by 
GnuTLS by default.  This certificate verification behaviour deviates from the documented behaviour.

Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 
1 certificates in their trusted list.

This has been fixed upstream [2] in version 3.1.21 and 3.2.11.

At a quick look at the code of GnuTLS 2.8.5, it is affected.  1.4.1 looks affected to me as well.


[1] http://www.gnutls.org/security.html
[2] https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tim Harder gentoo-dev 2014-02-15 04:01:16 UTC
(In reply to Agostino Sarubbo from comment #0)
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

3.2.11 added to the tree, we're not stabilizing gnutls-3* quite yet.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-02-15 18:09:15 UTC
Can we patch 2.12.X with the patch provided to make the stable version secure?
Comment 3 Agostino Sarubbo gentoo-dev 2014-02-16 11:48:37 UTC
(In reply to Yury German from comment #2)
> Can we patch 2.12.X with the patch provided to make the stable version
> secure?

Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an upstream version?
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-02-16 14:17:15 UTC
(In reply to Agostino Sarubbo from comment #3)
> Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an
> upstream version?

Ago, a patch is available from upstream as part of the security announcement.
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-16 15:01:10 UTC
(In reply to Yury German from comment #4)
> (In reply to Agostino Sarubbo from comment #3)
> > Why did you change A3 [upstream/ebuild] → A3 [ebuild] if there isn't an
> > upstream version?
> 
> Ago, a patch is available from upstream as part of the security announcement.

actually we are using the tag ebuild when there is a fixed version of the package and upstream/ebuild when only a patch is available.
Comment 6 Alon Bar-Lev gentoo-dev 2014-03-04 20:26:21 UTC
gnutls-2.12.23-r4 in tree.

Stabilize both this bug and bug#503394, no reason to do this twice.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-03-24 21:58:20 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

Added to existing GLSA request.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-15 05:05:04 UTC
Maintainer(s), please drop the vulnerable version.
Comment 9 Alon Bar-Lev gentoo-dev 2014-05-15 06:17:04 UTC
(In reply to Yury German from comment #8)
> Maintainer(s), please drop the vulnerable version.

Done.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-15 16:29:11 UTC
 Thank you for cleanup!

(In reply to Alon Bar-Lev from comment #9)
> (In reply to Yury German from comment #8)
> > Maintainer(s), please drop the vulnerable version.
> 
> Done.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-10 07:50:10 UTC
CVE-2014-1959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1959):
  lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats
  version 1 X.509 certificates as intermediate CAs, which allows remote
  attackers to bypass intended restrictions by leveraging a X.509 V1
  certificate from a trusted CA to issue new certificates.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 19:52:01 UTC
This issue was resolved and addressed in
 GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml
by GLSA coordinator Mikle Kolyada (Zlogene).