Bug 1022913 - (CVE-2013-4466) CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131023,repor...
: Security
Depends On: 1022925 1022926
Blocks: 1022917
  Show dependency treegraph
 
Reported: 2013-10-24 05:19 EDT by Tomas Hoger
Modified: 2015-08-24 15:47 EDT (History)
10 users (show)

See Also:
Fixed In Version: gnutls 3.1.15, gnutls 3.2.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-29 11:55:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-10-24 05:19:24 EDT
Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records.  The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow.

An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server.

Announcements of 3.1.15 and 3.2.5 versions:
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006511.html
http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006512.html

Upstream commits (master and 3.1 branch):
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

DANE support was introduced upstream in version 3.1.3.
Comment 1 Tomas Hoger 2013-10-24 05:24:36 EDT
mingw-gnutls packages in Fedora (19+) currently use GnuTLS version with DANE support, but it's not compiled in because of missing unbound.  Excerpt from build.log:

checking whether to build libdane... yes
checking for unbound library... no
configure: WARNING:
***
*** libunbound was not found. Libdane will not be built.
***

Hence those packages are not affected.
Comment 3 Tomas Hoger 2013-10-24 05:35:59 EDT
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1022926]
Comment 4 Tomas Hoger 2013-10-25 02:49:58 EDT
Upstream advisory id is GNUTLS-SA-2013-3:
http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
Comment 5 Fedora Update System 2013-10-28 23:34:34 EDT
gnutls-3.1.15-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2013-10-29 11:55:21 EDT
Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for DANE protocol.
Comment 8 Tomas Hoger 2013-11-05 16:11:33 EST
(In reply to Tomas Hoger from comment #7)
> New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original
> fix

This problem got new CVE CVE-2013-4487, tracked via bug 1025637.
Comment 9 Fedora Update System 2013-11-10 03:10:15 EST
gnutls-3.1.16-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-11-17 21:56:29 EST
gnutls-3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.