Bug 573028 (CVE-2010-0731)

Summary: CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=redhat,reported=20100311,public=20100325,cvss2=5/AV:N/AC:L/Au:N/C:N/I:N/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-25 06:49:09 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 565562, 565563, 572549    
Bug Blocks:    

Description Tomas Hoger 2010-03-12 11:16:28 EST
During the testing of GnuTLS updates, a flaw was discovered affecting Red Hat Enterprise Linux 4 GnuTLS packages on s390x platform, causing gnutls-cli to crash while printing server certificate info.

This crash was caused by a flaw in gnutls_x509_crt_get_serial(), which calls asn1_read_value() to extract serial number from the x509 certificate.

(lib/x509/x509.c)
 526 int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result,
 527     size_t* result_size)
 528 {
 ...
 536     if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) {

asn1_read_value() expects pointer to int (32 bit) as its third argument, but gnutls_x509_crt_get_serial() passed pointer to size_t (64 bit on 64 bit platforms) instead.  On 64bit big endian platforms asn1_read_value() got incorrect length value.

(lib/minitasn1/element.c)
 598 asn1_retCode
 599 asn1_read_value(node_asn *root,const char *name,void* ivalue, int *len)

On little endian 64 bit platforms, high 32 bits of the *result_size size_t value were lost, but they only contained zeros.  On big endian 64 bit platforms, low 32 bits were lost / ignored, causing asn1_read_value() to see length value as 0.  This caused asn1_read_value() to return an error, but the length of the value that should have been extracted was saved to *len.

gnutls_x509_crt_get_serial() did not correctly check return value of asn1_read_value(), failing to detect an error.  After returning, caller could see a high value stored in *result_size (when interpreted as 64 bit value again).

print_x509_info() (used by gnutls-cli or gnutls-serv) and print_certificate_info() (used by certtool) relied on the returned size value.  Unexpected value caused a stack buffer overflow in those functions.

This bug could also cause gnutls_x509_crt_check_revocation() to incorrectly check supplied X509 certificate against the list of revoked certificates, resulting in a bypass or the CRL check.

This issue was fixed upstream via following commit:
  http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d

This fix was first included in upstream version 1.2.1.  Therefore, GnuTLS packages in Red Hat Enterprise Linux 5, Fedora, and current upstream GnuTLS versions are not affected by this flaw.
Comment 2 Tomas Hoger 2010-03-25 03:57:43 EDT
Making bug public.
Comment 3 Tomas Hoger 2010-03-25 04:26:53 EDT
GnuTLS upstream is tracking this as GNUTLS-SA-2010-1:
  http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230
Comment 4 errata-xmlrpc 2010-03-25 06:38:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0167 https://rhn.redhat.com/errata/RHSA-2010-0167.html