Bug 1343505 (CVE-2016-4456)
Summary: | CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alonbl, bmcclain, carnil, cfergeau, dblechte, eedri, erik-fedora, lsurette, mgoldboi, michal.skrivanek, mike, mprpic, nmavrogi, rh-spice-bugs, rjones, sardella, srevivo, tmraz, ylavi |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | gnutls 3.4.13 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-13 12:40:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1343508 | ||
Bug Blocks: |
Description
Adam Mariš
2016-06-07 12:00:20 UTC
Acknowledgments: Name: Nikos Mavrogiannopoulos (Red Hat) Created gnutls tracking bugs for this issue: Affects: fedora-23 [bug 1343508] *** Bug 1343342 has been marked as a duplicate of this bug. *** gnutls-3.4.13-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. gnutls-3.4.13-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. Quoting more detailed description from the upstream advisory: """ Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions. """ https://www.gnutls.org/security.html#GNUTLS-SA-2016-1 Note that changes to use secure_getenv() instead of getenv() were also applied to GnuTLS 3.3 in version 3.3.24: https://gitlab.com/gnutls/gnutls/commit/b0a3048e56611a2deee4976aeba3b8c0740655a6 Those changes are not believed to have any security impact. |