From ${URL} : Description A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an out-of-bounds read error within the "_gnutls_ciphertext2compressed()" function in lib/gnutls_cipher.c and can be exploited to cause a crash of the application using the library. The vulnerability is reported in version 2.12.23. Solution Fixed in the git repository. Provided and/or discovered by Andreas Metzler Original Advisory GNUTLS-SA-2013-2: http://www.gnutls.org/security.html#GNUTLS-SA-2013-2 Andreas Metzler: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/6753 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Arches, please test and stabilize: =net-libs/gnutls-2.12.23-r1
Stable on alpha.
Stable for HPPA.
=net-libs/gnutls-2.12.23-r1 amd64: ok (I have given up on FEATURES=test as these took too long to complete)
amd64 stable
x86 stable
arm stable
ia64 stable
ppc stable
sparc stable
ppc64 stable
s390 stable
sh stable
CVE-2013-2116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2116): The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.
Added to existing GLSA draft. Waiting for m68k, then cleanup.
m68k -> ~ only. Cleaned up in another bug. Ready for GLSA.
crypto done
This issue was resolved and addressed in GLSA 201310-18 at http://security.gentoo.org/glsa/glsa-201310-18.xml by GLSA coordinator Sergey Popov (pinkbyte).
