Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622038 (CVE-2017-7507) - <net-libs/gnutls-3.5.13: Crash upon receiving well-formed status_request extension
Summary: <net-libs/gnutls-3.5.13: Crash upon receiving well-formed status_request exte...
Alias: CVE-2017-7507
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve ]
Depends on:
Reported: 2017-06-17 17:57 UTC by Ian Zimmerman
Modified: 2017-10-15 04:21 UTC (History)
3 users (show)

See Also:
Package list:
=net-libs/gnutls-3.5.13 alpha amd64 arm ia64 ppc ppc64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-06-17 17:57:16 UTC
According to the RH summary [1]:

It was found that GnuTLS would crash when receiving a client hello message with status_request extension that has a non-empty responder_id_list.

Upstream ref [2]

Upstream patch [3] [4]





Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2017-06-17 18:57:58 UTC
We can stabilize net-libs/gnutls-3.5.13
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-18 12:10:23 UTC
ia64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-18 14:03:11 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-20 07:02:42 UTC
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-20 15:01:23 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-21 12:06:17 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:19:09 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Alon Bar-Lev (RETIRED) gentoo-dev 2017-06-21 15:09:22 UTC
I am very sorry, but arm stabilize lately the older package in bug#612340, so need this one as well.
Comment 9 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-17 19:56:54 UTC
New GLSA Request filed.

@Maintainers, please proceed to cleanup.

Gentoo Security Padawan
Comment 10 Alon Bar-Lev (RETIRED) gentoo-dev 2017-09-18 22:28:04 UTC
(In reply to Alon Bar-Lev from comment #8)
> I am very sorry, but arm stabilize lately the older package in bug#612340,
> so need this one as well.

I updated the keywords and forgot to add CC, sorry!
Comment 11 Alon Bar-Lev (RETIRED) gentoo-dev 2017-10-07 08:05:34 UTC
arm, please?
Comment 12 Markus Meier gentoo-dev 2017-10-14 06:16:14 UTC
arm stable, all arches done.
Comment 13 Alon Bar-Lev (RETIRED) gentoo-dev 2017-10-14 06:34:47 UTC

ebuild was removed.
Comment 14 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-14 12:53:41 UTC
Thank you all.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-10-15 04:21:23 UTC
This issue was resolved and addressed in
 GLSA 201710-15 at
by GLSA coordinator Aaron Bauman (b-man).