Bug 1022913 - (CVE-2013-4466) CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1022925 1022926
Blocks: 1022917
  Show dependency treegraph
Reported: 2013-10-24 05:19 EDT by Tomas Hoger
Modified: 2015-08-24 15:47 EDT (History)
10 users (show)

See Also:
Fixed In Version: gnutls 3.1.15, gnutls 3.2.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-29 11:55:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-10-24 05:19:24 EDT
Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records.  The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow.

An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server.

Announcements of 3.1.15 and 3.2.5 versions:

Upstream commits (master and 3.1 branch):

DANE support was introduced upstream in version 3.1.3.
Comment 1 Tomas Hoger 2013-10-24 05:24:36 EDT
mingw-gnutls packages in Fedora (19+) currently use GnuTLS version with DANE support, but it's not compiled in because of missing unbound.  Excerpt from build.log:

checking whether to build libdane... yes
checking for unbound library... no
configure: WARNING:
*** libunbound was not found. Libdane will not be built.

Hence those packages are not affected.
Comment 3 Tomas Hoger 2013-10-24 05:35:59 EDT
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1022926]
Comment 4 Tomas Hoger 2013-10-25 02:49:58 EDT
Upstream advisory id is GNUTLS-SA-2013-3:
Comment 5 Fedora Update System 2013-10-28 23:34:34 EDT
gnutls-3.1.15-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2013-10-29 11:55:21 EDT

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for DANE protocol.
Comment 8 Tomas Hoger 2013-11-05 16:11:33 EST
(In reply to Tomas Hoger from comment #7)
> New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original
> fix

This problem got new CVE CVE-2013-4487, tracked via bug 1025637.
Comment 9 Fedora Update System 2013-11-10 03:10:15 EST
gnutls-3.1.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-11-17 21:56:29 EST
gnutls-3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.