Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605238 (CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, GNUTLS-SA-2017-1, GNUTLS-SA-2017-2) - <net-libs/gnutls-{3.3.26, 3.5.8}: two memory corruption vulnerabilities
Summary: <net-libs/gnutls-{3.3.26, 3.5.8}: two memory corruption vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, GNUTLS-SA-2017-1, GNUTLS-SA-2017-2
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://gnutls.org/security.html#GNUT...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-10 08:42 UTC by Hanno Böck
Modified: 2017-02-10 23:11 UTC (History)
2 users (show)

See Also:
Package list:
=net-libs/gnutls-3.3.26
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-01-10 08:42:10 UTC 
Upstream has fixed two memory corruption vulnerabilities with 3.3.26 and 3.5.8. One of them affects OpenPGP certificates (which nobody uses and which are considered deprecated), the other more significant one X.509 certificates.

The fixed versions are already in the tree, but I haven't found an open security bug yet.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-01-10 10:34:01 UTC 
@maintainer(s), any concerns with stabilizing here?
Comment 2 Alon Bar-Lev (RETIRED) gentoo-dev 2017-01-10 17:20:57 UTC 
Go ahead with stabilization.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 17:48:19 UTC 
CVE request: http://seclists.org/oss-sec/2017/q1/51


@ Arches,

please test and mark stable: =net-libs/gnutls-3.3.26
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-13 15:44:23 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-13 17:07:02 UTC 
amd64 stable
Comment 6 Markus Meier gentoo-dev 2017-01-15 12:59:31 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-15 16:08:23 UTC 
ppc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:20:59 UTC 
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-17 14:42:32 UTC 
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:36 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:06:32 UTC 
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-20 08:07:10 UTC 
Stable for HPPA.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 01:20:52 UTC 
New GLSA request filed.


@ Maintainer(s): Please cleanup and drop <net-libs/gnutls-3.3.26!
Comment 14 Alon Bar-Lev (RETIRED) gentoo-dev 2017-01-30 06:50:21 UTC 
(In reply to Thomas Deutschmann from comment #13)
> New GLSA request filed.
> 
> 
> @ Maintainer(s): Please cleanup and drop <net-libs/gnutls-3.3.26!

Done.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-10 23:11:28 UTC 
This issue was resolved and addressed in
 GLSA 201702-04 at https://security.gentoo.org/glsa/201702-04
by GLSA coordinator Thomas Deutschmann (whissi).