Bug 504791
| Summary: | Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-2009-3 / CVE-2009-1417) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | g.trentalancia | ||||||||
| Component: | gnutls | Assignee: | Tomas Mraz <tmraz> | ||||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 10 | CC: | thoger | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| URL: | http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3517 | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-06-09 14:14:24 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 497983 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
g.trentalancia
2009-06-09 13:38:08 UTC
Fixing summary (wrong CVE/upstream advisory id), adding block on bug tracking this, removing visibility restrictions (no point in creating private bugs for public issues). Tomas, I'll let you explain why changing this during the distribution lifetime is not the best idea. At least it seems applications have no easy way to cope with new error status code introduced by the patch. Most applications which do not do expiration checking on their own would probably fail when expired certificate is encountered with some general certificate verification error. The severity of the issue is low and it is fixed in the Fedora 11 package. Created attachment 347033 [details] Patched source RPM package (fix CVE/bug number) Fix incorrect CVE/bug number (correct reference is GNUTLS-SA-2009-3 / CVE-2009-1417). Created attachment 347067 [details]
Final patched source RPM package
The patch provided by Simon, apparently does not resolve the issue properly, because the function might return before the check on activation/expiration date is carried out.
It would be better if the function only returns at the end, after all checks (including the new check on activation/expiration) have been carried out.
The new attachment reflects the above considerations.
Because the certificate is also marked with the flag INVALID (which has already been used in other conditions), then applications that are not aware of the new check/flag, should still be able to detect the INVALID flag.
Fedora 11 is not affected because uses version 2.6.6 of gnutls. Obviously, upgrading also Fedora 10 to gnutls version 2.6.6 is a better solution...
|