Bug 591188

Summary: Please apply fix for GNUTLS-SA-2006-2.
Product: Red Hat Enterprise Linux 5 Reporter: Enrico Scholz <rh-bugzilla>
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: thoger
Target Milestone: rcKeywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnutls-1.4.1-7.el5_8.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-15 10:59:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 595229    

Description Enrico Scholz 2010-05-11 15:56:17 UTC 
Description of problem:

While verifying client certificates with sha512 hashes I get segfaults like

==7286== Invalid read of size 1
==7286==    at 0x4A06794: strcmp (mc_replace_strmem.c:341)
==7286==    by 0x4C309C5: _gnutls_x509_oid2mac_algorithm (gnutls_algorithms.c:573)
==7286==    by 0x4C5830A: verify_sig (verify.c:498)
==7286==    by 0x4C5850D: _gnutls_x509_verify_signature (verify.c:696)
==7286==    by 0x4C58D37: _gnutls_verify_certificate2 (verify.c:295)
==7286==    by 0x4C5911F: gnutls_x509_crt_list_verify (verify.c:401)
==7286==    by 0x4C470AB: _gnutls_x509_cert_verify_peers (gnutls_x509.c:179)
==7286==    by 0x402DAA: ssl_server (ssl-server.c:520)
==7286==    by 0x403C77: main (ssl-server.c:820)
==7286==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==7286== 
==7286== Process terminating with default action of signal 11 (SIGSEGV)
==7286==  Access not within mapped region at address 0x0
==7286==    at 0x4A06794: strcmp (mc_replace_strmem.c:341)
==7286==    by 0x4C309C5: _gnutls_x509_oid2mac_algorithm (gnutls_algorithms.c:573)
==7286==    by 0x4C5830A: verify_sig (verify.c:498)
==7286==    by 0x4C5850D: _gnutls_x509_verify_signature (verify.c:696)
==7286==    by 0x4C58D37: _gnutls_verify_certificate2 (verify.c:295)
==7286==    by 0x4C5911F: gnutls_x509_crt_list_verify (verify.c:401)
==7286==    by 0x4C470AB: _gnutls_x509_cert_verify_peers (gnutls_x509.c:179)
==7286==    by 0x402DAA: ssl_server (ssl-server.c:520)
==7286==    by 0x403C77: main (ssl-server.c:820)


This issues seems to be described in http://lists.gnupg.org/pipermail/gnutls-dev/2006-August/001190.html and solved in gnutls-1.4.2.

Practically, this allows DOS attacks against gnutls based servers by providing client certificates with unsupported algorithms (e.g. sha256 or sha512).


Version-Release number of selected component (if applicable):


How reproducible:

gnutls-1.4.1-3.el5_4.8
Comment 3 RHEL Program Management 2010-12-07 09:45:42 UTC 
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 4 Ludek Smid 2011-06-06 09:00:34 UTC 
This request was evaluated by Red Hat Product Management for inclusion in Red
Hat Enterprise Linux 5.7 and Red Hat does not plan to fix this issue the
currently developed update.

Contact your manager or support representative in case you need to escalate
this bug.
Comment 5 RHEL Program Management 2012-01-09 14:05:29 UTC 
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.