Bug 1343505 (CVE-2016-4456)

Summary: CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alonbl, bmcclain, carnil, cfergeau, dblechte, eedri, erik-fedora, lsurette, mgoldboi, michal.skrivanek, mike, mprpic, nmavrogi, rh-spice-bugs, rjones, sardella, srevivo, tmraz, ylavi
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.4.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-13 12:40:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1343508    
Bug Blocks:    

Description Adam Mariš 2016-06-07 12:00:20 UTC 
It was reported that gnutls 3.4.12 uses an environment variable (GNUTLS_KEYLOGFILE) to write the keys of the running sessions. This variable is obtained insecurely via getenv(), meaning that any set-uid program using gnutls can be used to overwrite any file on the filesystem.

Upstream patch:

https://gitlab.com/gnutls/gnutls/compare/fb2a6baef79f4aadfd95e657fe5a18da20a1410e...86076c9b17b9a32b348cafb8b724f57f7da64d58

External References:

http://gnutls.org/security.html#GNUTLS-SA-2016-1
Comment 1 Adam Mariš 2016-06-07 12:00:39 UTC 
Acknowledgments:

Name: Nikos Mavrogiannopoulos (Red Hat)
Comment 2 Adam Mariš 2016-06-07 12:01:01 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-23 [bug 1343508]
Comment 3 Adam Mariš 2016-06-07 12:01:38 UTC 
*** Bug 1343342 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2016-06-08 22:52:31 UTC 
gnutls-3.4.13-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-06-18 18:39:22 UTC 
gnutls-3.4.13-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2018-09-13 07:53:40 UTC 
Quoting more detailed description from the upstream advisory:

"""
Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.
"""

https://www.gnutls.org/security.html#GNUTLS-SA-2016-1
Comment 10 Tomas Hoger 2018-09-13 12:40:42 UTC 
Note that changes to use secure_getenv() instead of getenv() were also applied to GnuTLS 3.3 in version 3.3.24:

https://gitlab.com/gnutls/gnutls/commit/b0a3048e56611a2deee4976aeba3b8c0740655a6

Those changes are not believed to have any security impact.