Bug 504791

Summary: Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-2009-3 / CVE-2009-1417)
Product: [Fedora] Fedora Reporter: g.trentalancia
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-09 14:14:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 497983    
Attachments:
Description Flags
Patched source RPM package
none
Patched source RPM package (fix CVE/bug number)
none
Final patched source RPM package none

Description g.trentalancia 2009-06-09 13:38:08 UTC
Created attachment 347024 [details]
Patched source RPM package

Description of problem:
GnuTLS applications (such as gnutls-cli) do not check the activation and expiration dates of X.509 certificates.

Version-Release number of selected component (if applicable):
2.4.2-3

How reproducible:
Use function _gnutls_x509_verify_certificate (in lib/x509/verify.c in libgnutls_x509). Such function is used by at least the following applications: (a) Exim, (b) OpenLDAP, and (c) libsoup

Steps to Reproduce:
1. Use function _gnutls_x509_verify_certificate on expired X.509 certificates
2. Or, use gnutls-cli on expired X.509 certificates
3. Example certificate for testing: expired.demo.gnutls.org
  
Actual results:
Expired certificates are accepted

Expected results:
Expired certificates should not be accepted

Additional info:
For full report, see http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/351

CVE report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417

A patch has been proposed in the above mentioned report and has been included in the attached SRPM (gnutls-2.4.2-4.fc10.src.rpm).

Comment 1 Tomas Hoger 2009-06-09 14:01:23 UTC
Fixing summary (wrong CVE/upstream advisory id), adding block on bug tracking this, removing visibility restrictions (no point in creating private bugs for public issues).  Tomas, I'll let you explain why changing this during the distribution lifetime is not the best idea.

At least it seems applications have no easy way to cope with new error status code introduced by the patch.

Comment 2 Tomas Mraz 2009-06-09 14:14:24 UTC
Most applications which do not do expiration checking on their own would probably fail when expired certificate is encountered with some general certificate verification error. The severity of the issue is low and it is fixed in the Fedora 11 package.

Comment 3 g.trentalancia 2009-06-09 14:30:01 UTC
Created attachment 347033 [details]
Patched source RPM package (fix CVE/bug number)

Fix incorrect CVE/bug number (correct reference is GNUTLS-SA-2009-3 / CVE-2009-1417).

Comment 4 g.trentalancia 2009-06-09 17:55:05 UTC
Created attachment 347067 [details]
Final patched source RPM package

The patch provided by Simon, apparently does not resolve the issue properly, because the function might return before the check on activation/expiration date is carried out.

It would be better if the function only returns at the end, after all checks (including the new check on activation/expiration) have been carried out.

The new attachment reflects the above considerations.

Because the certificate is also marked with the flag INVALID (which has already been used in other conditions), then applications that are not aware of the new check/flag, should still be able to detect the INVALID flag.

Fedora 11 is not affected because uses version 2.6.6 of gnutls. Obviously, upgrading also Fedora 10 to gnutls version 2.6.6 is a better solution...