Red Hat Bugzilla – Bug 1022913
CVE-2013-4466 gnutls: dane_query_tlsa() buffer overflow (GNUTLS-SA-2013-3)
Last modified: 2015-08-24 15:47:19 EDT
Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records. The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow.
An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server.
Announcements of 3.1.15 and 3.2.5 versions:
Upstream commits (master and 3.1 branch):
DANE support was introduced upstream in version 3.1.3.
mingw-gnutls packages in Fedora (19+) currently use GnuTLS version with DANE support, but it's not compiled in because of missing unbound. Excerpt from build.log:
checking whether to build libdane... yes
checking for unbound library... no
*** libunbound was not found. Libdane will not be built.
Hence those packages are not affected.
Created gnutls tracking bugs for this issue:
Affects: fedora-all [bug 1022926]
Upstream advisory id is GNUTLS-SA-2013-3:
gnutls-3.1.15-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for DANE protocol.
New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original fix, found by Tomas Mraz:
Commits in upstream git (master and 3.1 branch):
(In reply to Tomas Hoger from comment #7)
> New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original
This problem got new CVE CVE-2013-4487, tracked via bug 1025637.
gnutls-3.1.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.