Bug 796302
| Summary: | gnutls 2.12.14 leaks memory, needs an update | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sam Varshavchik <mrsam> |
| Component: | gnutls | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | jorton, security-response-team, tmraz |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | gnutls-2.12.14-2.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-03-26 03:57:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sam Varshavchik
2012-02-22 16:25:31 UTC
Do you refer to tmp in _rsa_generate_params? It seems it was added in: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=d4a4643dbe1bd739e55706fa4affaf10aae1dfa9#patch3 but got broken shortly after: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bab8c93bf9501e0eece9d99b491987c83b998e26#patch1 and does not seem fixed upstream in 2.12.x. Any good use case where keys are generated in long running process? Sounds more like a bug. I do see that it's still there in 2.12.x series. I looked at the wrong snapshot initially. Any server session that supports export-grade RSA calls gnutls_rsa_params_generate2(), which calls gnutls_x509_privkey_generate(). The use case here would be servers that support export-grade RSA and use a per-session set of RSA keys; rather than generating them once for their entire lifetime. That does not seem unreasonable. Quoting from: http://www.gnu.org/software/gnutls/manual/gnutls.html#Parameter-generation The ciphersuites that involve the RSA-EXPORT key exchange require additional parameters. Those ciphersuites are rarely used today because they are by design insecure, thus if you have no requirement for them, the rest of this section can be skipped. Export ciphers are disabled by default. Hence the impact still seems rather limited. We can report this to upstream privately, but it seems ok to report that via upstream devel list (I believe you already reported some other leak there recently). Once this issue is fixed upstream, we can push the fix to Fedora. Tomas M., do you agree? Yes, sure. I sent a mail with a patch to the upstream devel mailing list. And I decided to build a new package with the fix in rawhide. (In reply to comment #5) > I sent a mail with a patch to the upstream devel mailing list. http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5922 Looks like Sam managed to beat you by a bit: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5921 At least I've added a few more leak fixes - albeit in error paths only. :) gnutls-2.12.14-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/gnutls-2.12.14-2.fc16 Package gnutls-2.12.14-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4578/gnutls-2.12.14-2.fc16 then log in and leave karma (feedback). gnutls-2.12.14-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. gnutls-2.12.14-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |