Bug 803169 (CVE-2012-1663)

Summary: CVE-2012-1663 gnutls: double-free vulnerability in libgnutls 3.0.x
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-14 04:32:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2012-03-14 04:20:15 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1663 to
the following vulnerability:

Name: CVE-2012-1663
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1663
Assigned: 20120313
Reference: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5866

Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows
remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted certificate list.
Comment 1 Vincent Danen 2012-03-14 04:32:49 UTC 
While not noted, this flaw seems to only affect gnutls 3.0.x as the affected files are not part of gnutls 2.x, which is what we ship in Red Hat Enterprise Linux and Fedora.

The fix is here:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=9c62f4feb2bdd6fbbb06eb0c60bfdea80d21bbb8

It looks as though the affected files (at least lib/gnutls_pcert.c were added here:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=61d8cae724446a5f4531d20c285e186b9ba45b6d

and corresponds with this entry in the NEWS file:

 678 * Version 2.99.1 (released 2011-04-23)
...
 700 ** libgnutls: Added gnutls_certificate_set_retrieve_function2()
 701 to set a callback to retrieve a certificate. The certificate is
 702 received in a format that requires no processing from gnutls thus
 703 it is suitable when performance is required.

So would have been added in the 2.99.1 (pre-3.0 development?) release.


Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 4, 5, or 6.