Bug 1101734 (CVE-2014-3465)

Summary: CVE-2014-3465 gnutls: gnutls_x509_dn_oid_name NULL pointer dereference
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jkurik, jrusnack, nmavrogi, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.1.20, gnutls 3.2.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-10 12:29:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1102027, 1102028    
Bug Blocks: 1101736    

Description Tomas Hoger 2014-05-27 19:58:10 UTC
A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name().  The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller.  However, it could previously return NULL when parsed X.509 certificates included specific OIDs.

The issue was corrected upstream using the following commit:
https://www.gitorious.org/gnutls/gnutls/commit/d3648ebb04b650e6d20a2ec1fb839256b30b9fc6

The fix was first included in upstream versions 3.1.20 and 3.2.10:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7251
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7250

Affected function was introduced in GnuTLS version 3.0:
http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fdn_005foid_005fname-1

The gnutls packages in Red Hat Enterprise Linux 6 and earlier include GnuTLS versions 2.x or 1.x and were therefore not affected by this issue.  The gnutls and mingw-gnutls packages in Fedora are already updated to the fixed upstream version.

Comment 1 Tomas Hoger 2014-05-27 20:00:00 UTC
Statement:

This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5, and 6.

Comment 3 Tomas Hoger 2014-05-29 11:41:33 UTC
Acknowledgment:

Red Hat would like to thank GnuTLS upstream for reporting this issue.

Comment 4 errata-xmlrpc 2014-06-10 12:24:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0684 https://rhn.redhat.com/errata/RHSA-2014-0684.html