Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 230263 (CVE-2008-2377) - net-libs/gnutls >=2.3.5 <2.4.1 gnutls_handshake() vulnerabilities (CVE-2008-2377)
Summary: net-libs/gnutls >=2.3.5 <2.4.1 gnutls_handshake() vulnerabilities (CVE-2008-2...
Status: RESOLVED FIXED
Alias: CVE-2008-2377
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://article.gmane.org/gmane.comp.e...
Whiteboard: ~3? [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-30 21:12 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-15 10:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-06-30 21:12:11 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Tomas Mraz of RedHat reported an issue in GnuTLS that can lead to a function dereference of a freed heap structure. Impact is currently under discussion.
This bug was introduced in GnuTLS 2.3.5 and is present in GnuTLS 2.4.0.

Please do not proceed any affected versions for stabling. This only affects our ~arch systems.
Comment 1 Daniel Black (RETIRED) gentoo-dev 2008-07-01 10:48:22 UTC
public as per urls
detail http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2948

will do ebuild soon
Comment 2 Daniel Black (RETIRED) gentoo-dev 2008-07-01 12:45:39 UTC
gnutls-2.4.1 added
gnutls-2.4.0 and gnutls-2.3.11.ebuild removed

thanks Robert. description from upstream makes it seem though RCE is unlikely and DoS is fairly sure.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-07-01 13:51:55 UTC
Thanks, closing then.