Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489262 (CVE-2013-4466) - <net-libs/gnutls-3.2.5: libdane buffer overflow (CVE-2013-4466)
Summary: <net-libs/gnutls-3.2.5: libdane buffer overflow (CVE-2013-4466)
Status: RESOLVED FIXED
Alias: CVE-2013-4466
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/173
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-24 14:34 UTC by Mikle Kolyada
Modified: 2013-12-03 00:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-24 14:34:18 UTC
from ${URL}:

Hi,

GNUTLS just posted a security adivsory which needs a CVE:

http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
GNUTLS-SA-2013-3
Denial of service
This vulnerability affects the DANE library of gnutls 3.1.x and gnutls
3.2.x. A server that returns more 4 DANE entries could corrupt the memory
of a requesting client.  Recommendation: Upgrade to the latest gnutls
version (3.1.15 or 3.2.5)

Commit for 3.1:
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

Commit for 3.2:
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3

Ciao, Marcus
Comment 1 Alon Bar-Lev gentoo-dev 2013-10-24 20:10:38 UTC
gnutls-3.2.5 in tree
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-25 11:42:22 UTC
(In reply to Alon Bar-Lev from comment #1)
> gnutls-3.2.5 in tree

thanks, cleanup old vuln. versions, please,
Comment 3 Alon Bar-Lev gentoo-dev 2013-10-25 11:47:41 UTC
(In reply to Mikle Kolyada from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > gnutls-3.2.5 in tree
> 
> thanks, cleanup old vuln. versions, please,

this is non stable package, and not trivial changes since last, we should allow people to revert.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-25 14:09:38 UTC
The fact that it's unstable means that there is the possibility of breakage. Leave it for a little while if you want, but the old versions do need to go.
Comment 5 Sergey Popov gentoo-dev 2013-10-27 12:22:57 UTC
(In reply to Alon Bar-Lev from comment #3)
> this is non stable package, and not trivial changes since last, we should
> allow people to revert.

to clarify - we want 3.2.3 and 3.2.4 go from tree, not 2.x
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 00:56:41 UTC
<3.2.5 seems to be gone from tree, closing.