Bug 1022913 (CVE-2013-4466)

Summary: CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, jkurik, jorton, ktietz, mike, pfrields, ratulg, rjones, seceng-idm-qe-list, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.1.15, gnutls 3.2.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-29 15:55:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1022925, 1022926    
Bug Blocks: 1022917    

Description Tomas Hoger 2013-10-24 09:19:24 UTC 
Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records.  The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow.

An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server.

Announcements of 3.1.15 and 3.2.5 versions:
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006511.html
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006512.html

Upstream commits (master and 3.1 branch):
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

DANE support was introduced upstream in version 3.1.3.
Comment 1 Tomas Hoger 2013-10-24 09:24:36 UTC 
mingw-gnutls packages in Fedora (19+) currently use GnuTLS version with DANE support, but it's not compiled in because of missing unbound.  Excerpt from build.log:

checking whether to build libdane... yes
checking for unbound library... no
configure: WARNING:
***
*** libunbound was not found. Libdane will not be built.
***

Hence those packages are not affected.
Comment 3 Tomas Hoger 2013-10-24 09:35:59 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1022926]
Comment 4 Tomas Hoger 2013-10-25 06:49:58 UTC 
Upstream advisory id is GNUTLS-SA-2013-3:
http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
Comment 5 Fedora Update System 2013-10-29 03:34:34 UTC 
gnutls-3.1.15-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2013-10-29 15:55:21 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for DANE protocol.
Comment 7 Tomas Hoger 2013-10-31 13:34:48 UTC 
New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original fix, found by Tomas Mraz:
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006544.html
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006543.html

Commits in upstream git (master and 3.1 branch):
https://gitorious.org/gnutls/gnutls/commit/0dd5529509e46b11d5c0f3f26f99294e0e5fa6dc
https://gitorious.org/gnutls/gnutls/commit/ad6a243b5ad219fda7511d4cbc1f73d77414db77
Comment 8 Tomas Hoger 2013-11-05 21:11:33 UTC 
(In reply to Tomas Hoger from comment #7)
> New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original
> fix

This problem got new CVE CVE-2013-4487, tracked via bug 1025637.
Comment 9 Fedora Update System 2013-11-10 08:10:15 UTC 
gnutls-3.1.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-11-18 02:56:29 UTC 
gnutls-3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.