Bug 498423 (CVE-2009-1415)

Summary: CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1]
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, jorton, rjones, tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-18 19:57:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-04-30 12:41:43 UTC 
Quoting upstream security advisory:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515

  Miroslav Kratochvil reported that he was able to crash libgnutls
  when experimenting with (corrupt) DSA keys.  The client crashes when
  verifying invalid DSA signatures provided by the remote server when
  using a DSA ciphersuite.  The code that crashes is also used for
  verifying DSA signatures in X.509 Certificates, and for verifying
  RSA/DSA signatures in OpenPGP keys.

  Only GnuTLS 2.6.x is affected.  GnuTLS 2.4.x and earlier did not
  contain the buggy code.

Fixed upstream in 2.6.6:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3514
Comment 1 Tomas Hoger 2009-04-30 12:48:32 UTC 
This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5, and Fedora up to version 10, as they are based on upstream versions prior to 2.6.  gnutls 2.6.x is currently in F11/Rawhide, mingw32-gnutls based on upstream 2.6.x version is in F10 too.
Comment 2 Vincent Danen 2009-05-01 16:52:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1415 to
the following vulnerability:

Name: CVE-2009-1415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
Assigned: 20090424
Reference: MLIST:[gnutls-devel] 20090423 Re: some crashes on using DSA keys
Reference: URL: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3502
Reference: MLIST:[gnutls-devel] 20090430 Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1] [CVE-2009-1415]
Reference: URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515
Reference: CONFIRM: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488
Reference: SECUNIA:34842
Reference: URL: http://secunia.com/advisories/34842

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
properly handle invalid DSA signatures, which allows remote attackers
to cause a denial of service (application crash) and possibly have
unspecified other impact via a malformed DSA key that triggers a (1)
free of an uninitialized pointer or (2) double free.
Comment 3 Vincent Danen 2009-09-18 19:57:30 UTC 
Fedora 11 contains gnutls-2.6.6-1.fc11 so there is nothing actually vulnerable to this issue.