Bug 1212459 (CVE-2015-3308)

Summary: CVE-2015-3308 gnutls: use-after-free flaw in CRL distribution points parsing
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, bmcclain, carnil, cfergeau, erik-fedora, idith, lsurette, michal.skrivanek, mike, rh-spice-bugs, rjones, sardella, slawomir, srevivo, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.3.14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-13 21:04:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1212463, 1212464, 1212465    
Bug Blocks: 1212469    

Description Martin Prpič 2015-04-16 13:07:39 UTC 
A use-after-free flaw was found in the way GnuTLS parsed CRL distribution points. A specially crafted certificate could cause an application using GnuTLS to crash.

Upstream patches:

https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02
Comment 1 Martin Prpič 2015-04-16 13:20:17 UTC 
Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-21 [bug 1212464]
Affects: epel-7 [bug 1212465]
Comment 2 Martin Prpič 2015-04-16 13:20:21 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-21 [bug 1212463]
Comment 3 Martin Prpič 2015-04-16 13:22:24 UTC 
The affected function, gnutls_x509_ext_import_crl_dist_points(), was introduced in GnuTLS version 3.3.0:

http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fext_005fimport_005fcrl_005fdist_005fpoints-1
Comment 4 Martin Prpič 2015-04-16 13:22:42 UTC 
Statement:

This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the version of gnutls as shipped with Red Hat Enterprise Linux 7. A further update may address this flaw.
Comment 5 Michael Cronenworth 2015-04-16 13:41:57 UTC 
The fix for this was in 3.3.14.

Fedora already has 3.3.14 updates for gnutls and mingw-gnutls.

https://admin.fedoraproject.org/updates/FEDORA-2015-5108/gnutls-3.3.14-1.fc21
https://admin.fedoraproject.org/updates/FEDORA-2015-5131/gnutls-3.3.14-1.fc22
https://admin.fedoraproject.org/updates/FEDORA-2015-5245/mingw-gnutls-3.3.14-1.fc21,mingw-libtasn1-4.4-1.fc21
https://admin.fedoraproject.org/updates/FEDORA-2015-5308/mingw-gnutls-3.3.14-1.fc22,mingw-libtasn1-4.4-1.fc22
Comment 6 Fedora Update System 2015-05-03 00:47:36 UTC 
mingw-gnutls-3.3.14-1.el7, mingw-libtasn1-4.4-1.el7, mingw-p11-kit-0.20.7-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Product Security DevOps Team 2021-06-13 21:04:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-3308