Bug 1101932 (CVE-2014-3466)
Summary: | CVE-2014-3466 gnutls: insufficient session id length check in _gnutls_read_server_hello (GNUTLS-SA-2014-3) | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | carnil, chorn, gianluca.varisco, jkurik, jrusnack, ksrot, ktietz, lbopf, magoldma, mattdm, mjc, ngalvin, nmavrogi, pablo.iranzo, patrick.d.mayo, pdwyer, security-response-team, tbowling | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | gnutls 3.1.25, gnutls 3.2.15, gnutls 3.3.3 | Doc Type: | Bug Fix | ||||
Doc Text: |
A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-06-10 12:29:42 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1102024, 1102025, 1102027, 1102028, 1102355, 1102356, 1103046, 1103047, 1103048 | ||||||
Bug Blocks: | 1101736 | ||||||
Attachments: |
|
Description
Tomas Hoger
2014-05-28 08:12:50 UTC
Created attachment 899870 [details]
Patch from Nikos Mavrogiannopoulos
Acknowledgment: Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter. Public now via GNUTLS-SA-2014-3: http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 Fixed in GnuTLS versions 3.1.25, 3.2.15, and 3.3.3: http://lists.gnutls.org/pipermail/gnutls-devel/2014-May/006944.html http://lists.gnutls.org/pipermail/gnutls-devel/2014-May/006945.html http://lists.gnutls.org/pipermail/gnutls-devel/2014-May/006946.html Upstream commit: https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd Upstream test case for this issue: https://www.gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf7ce52b36474c157f782d9ca977 Created mingw-gnutls tracking bugs for this issue: Affects: fedora-all [bug 1103047] Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1103046] Created mingw32-gnutls tracking bugs for this issue: Affects: epel-5 [bug 1103048] Is 2.12.x also vulnerable? Err, I meant: 2.x (2.6? 2.8) It seems the issue was first introduced via the following commit: https://www.gitorious.org/gnutls/gnutls/commit/8a6517a2#lib/gnutls_handshake.c which pre-dates 1.0.0 by few years. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0595 https://rhn.redhat.com/errata/RHSA-2014-0595.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0594 https://rhn.redhat.com/errata/RHSA-2014-0594.html gnutls-3.1.25-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. IssueDescription: A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. mingw-gnutls-3.1.25-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. mingw-gnutls-3.1.25-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. gnutls-3.1.20-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0684 https://rhn.redhat.com/errata/RHSA-2014-0684.html This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2014:0815 https://rhn.redhat.com/errata/RHSA-2014-0815.html |