Bug 1678411 (CVE-2019-3836)

Summary: CVE-2019-3836 gnutls: invalid pointer access upon receiving async handshake messages
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cfergeau, crypto-team, erik-fedora, hkario, iamleot+rhbugzilla, jv+fedora, mike, pemensik, pspacek, rh-spice-bugs, rjones, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls 3.6.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way gnutls handled malformed TLS 1.3 asynchronous messages. An attacker could use this flaw to crash an application compiled with gnutls via invalid pointer access.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 00:52:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1693214, 1693288, 1693289    
Bug Blocks: 1678414    

Description Pedro Sampaio 2019-02-18 17:41:29 UTC
It was discovered in gnutls upstream that there is an uninitialized pointer access in gnutls versions 3.6.4 or later which can be triggered by certain post-handshake messages.

Upstream issue:

https://gitlab.com/gnutls/gnutls/issues/704

Comment 2 Dhananjay Arunesh 2019-03-27 11:17:54 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1693214]

Comment 4 Hubert Kario 2019-03-27 13:25:48 UTC
the tlsfuzzer[1] test-tls13-keyupdate.py[2] test script can be used in concert with valgrind to verify the fix

 1 - https://github.com/tomato42/tlsfuzzer
 2 - https://github.com/tomato42/tlsfuzzer/pull/501

Comment 5 Leonardo Taccari 2019-03-29 21:58:29 UTC
Hello!
according:

 https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27

it seems that versions since 3.6.4 are affected (not 3.6.3 as originally pointed out by Pedro in the 1st comment).
Is also 3.6.3 affected?


Thanks!

Comment 6 Pedro Sampaio 2019-04-03 21:04:47 UTC
(In reply to Leonardo Taccari from comment #5)
> Hello!
> according:
> 
>  https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27
> 
> it seems that versions since 3.6.4 are affected (not 3.6.3 as originally
> pointed out by Pedro in the 1st comment).
> Is also 3.6.3 affected?
> 
> 
> Thanks!

Yes, I believe you are right. Fixed.

Thank you for pointing that out.

Comment 7 Huzaifa S. Sidhpurwala 2019-04-05 05:47:34 UTC
Acknowledgments:

Name: Hubert Kario (Red Hat QE BaseOS Security team)

Comment 8 Huzaifa S. Sidhpurwala 2019-04-05 05:47:38 UTC
External References:

https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27

Comment 9 Huzaifa S. Sidhpurwala 2019-04-05 05:51:02 UTC
Upstream commit: https://gitlab.com/gnutls/gnutls/commit/96e07075e8f105b13e76b11e493d5aa2dd937226

Comment 10 Hubert Kario 2019-04-05 11:10:00 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #7)
> Acknowledgments:
> 
> Name: Hubert Kario (Red Hat QE BaseOS Security team)

Actually the issue was identified by Daiki Ueno (Red Hat BaseOS Crypto team), I've just slightly extended tests originally written by Róbert Kolcún.

Comment 11 errata-xmlrpc 2019-11-05 21:17:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3600 https://access.redhat.com/errata/RHSA-2019:3600

Comment 12 Product Security DevOps Team 2019-11-06 00:52:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3836