Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 511840 (CVE-2014-3466) - <net-libs/gnutls-2.12.23-r6: vulnerable to memory corruption for specially crafted Server Hello (CVE-2014-{3465,3466})
Summary: <net-libs/gnutls-2.12.23-r6: vulnerable to memory corruption for specially cr...
Status: RESOLVED FIXED
Alias: CVE-2014-3466
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.gnutls.org/security.html#G...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-30 08:41 UTC by Kristian Fiskerstrand
Modified: 2014-06-13 19:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-05-30 08:41:57 UTC
GNUTLS-SA-2014-3
CVE-2014-3466 Memory corruption 	

This vulnerability affects the client side of the gnutls library. A server that a specially crafted ServerHello could corrupt the memory of a requesting client.

Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.3)

Reproducible: Always
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-30 13:45:46 UTC
Thank you for report K_F.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-05-30 18:33:04 UTC
See also https://bugzilla.redhat.com/show_bug.cgi?id=1101734 re CVE-2014-3465
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2014-05-31 08:46:52 UTC
gnutls just released Version 3.3.4 (released 2014-05-31)

** libgnutls: Updated Andy Polyakov's assembly code. That prevents a
crash on certain CPUs.

So probably best to move directly to 3.3.4 skipping 3.3.3
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-06-01 19:48:17 UTC
2.x series is not affected by CVE-2014-3465 as the affected function was introduced in GnuTLS version 3.0: http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fdn_005foid_005fname-1

Still trying to confirm when CVE-2014-3466 was introduced.
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2014-06-01 20:03:27 UTC
At least 2.12.23 seems affected by CVE-2014-3466, upstream has fixed this with the two commits 
https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd and https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd 

and related https://www.gitorious.org/gnutls/gnutls/commit/1375d4e6d7bb969bf6c91ad78be41698073070f3 

So a temporary work-around might be to backport those commits.
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2014-06-02 05:41:32 UTC
As the 2.x series use an embedded libtasn certain fixes needs to be applied to handle bug 511536 as well if backporting is used. 

See also http://seclists.org/oss-sec/2014/q2/395
Comment 7 Alon Bar-Lev gentoo-dev 2014-06-07 18:17:20 UTC
Added, from[1]

gnutls-2.12.23-CVE-2014-3466.patch
gnutls-2.12.23-CVE-2014-3467.patch
gnutls-2.12.23-CVE-2014-3468.patch
gnutls-2.12.23-CVE-2014-3469.patch

[1] http://seclists.org/oss-sec/2014/q2/395
Comment 8 Kristian Fiskerstrand gentoo-dev Security 2014-06-09 12:50:33 UTC
Thanks. 

Arches, please stabilize

=net-libs/gnutls-2.12.23-r6

Targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2014-06-09 12:52:12 UTC
Since patches are backported to 2.x series this bug no longer depends on gnutls 3 stabilization
Comment 10 Jeroen Roovers gentoo-dev 2014-06-09 19:13:05 UTC
Stable for HPPA.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:45:31 UTC
amd64 srable
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:47:28 UTC
x86 stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-09 20:49:06 UTC
arm stable
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:24:14 UTC
alpha stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:31:15 UTC
sparc stable
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:43:02 UTC
ia64 stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:43:39 UTC
ppc64/ppc stable
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-10 07:46:18 UTC
Added to existing glsa request.

Cleanup, please!
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-06-10 07:47:35 UTC
CVE-2014-3466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3466):
  Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c
  in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows
  remote servers to cause a denial of service (memory corruption) or possibly
  execute arbitrary code via a long session id in a ServerHello message.
Comment 20 Alon Bar-Lev gentoo-dev 2014-06-10 07:50:39 UTC
(In reply to Mikle Kolyada from comment #18)
> Added to existing glsa request.
> 
> Cleanup, please!

done
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 19:52:07 UTC
This issue was resolved and addressed in
 GLSA 201406-09 at http://security.gentoo.org/glsa/glsa-201406-09.xml
by GLSA coordinator Mikle Kolyada (Zlogene).