Bug 1065092 (CVE-2014-1959) - CVE-2014-1959 gnutls: incorrect handling of V1 intermediate certificates (GNUTLS-SA-2014-1)
Summary: CVE-2014-1959 gnutls: incorrect handling of V1 intermediate certificates (GNU...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-1959
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1065094 1065095 1065096 1066849
Blocks: 1065093
TreeView+ depends on / blocked
 
Reported: 2014-02-13 22:14 UTC by Vincent Danen
Modified: 2021-02-17 06:53 UTC (History)
12 users (show)

Fixed In Version: gnutls 3.1.21, gnutls 3.2.11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-03 10:11:35 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2014-02-13 22:14:49 UTC 
It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default.  This certificate verification behaviour deviates from the documented behaviour.

Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 1 certificates in their trusted list.

This has been fixed upstream [2] in version 3.1.21 and 3.2.11.

At a quick look at the code of GnuTLS 2.8.5, it is affected.  1.4.1 looks affected to me as well.


[1] http://www.gnutls.org/security.html
[2] https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
Comment 1 Vincent Danen 2014-02-13 22:21:52 UTC 
Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1065096]
Comment 2 Vincent Danen 2014-02-13 22:21:55 UTC 
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1065094]
Comment 3 Vincent Danen 2014-02-13 22:21:57 UTC 
Created mingw32-gnutls tracking bugs for this issue:

Affects: epel-5 [bug 1065095]
Comment 4 Nikos Mavrogiannopoulos 2014-02-14 08:33:10 UTC 
(In reply to Vincent Danen from comment #0)
> At a quick look at the code of GnuTLS 2.8.5, it is affected.  1.4.1 looks
> affected to me as well.

The issue was introduced when v1 root certificates were allowed by default (2.11.5). Thus gnutls 2.8.5 or earlier are not affected since they do not allow X.509 v1 certificates by default.
Comment 5 Tomas Hoger 2014-02-14 13:19:26 UTC 
Nikos, do you have any certificates that can easily be used to test this?  Possibly something in the upstream test suite you'd recommend looking at?
Comment 6 Nikos Mavrogiannopoulos 2014-02-15 14:41:19 UTC 
I use the chain:
https://gitorious.org/gnutls/gnutls/source/bd4ba0556de1120adfa1ce10caaeeaead49b323a:tests/chainverify.c#L52

It is a list of 3 certificates with a CA of version 1 as intermediate.
Comment 7 Fedora Update System 2014-02-17 21:09:13 UTC 
gnutls-3.1.20-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-02-22 00:53:10 UTC 
gnutls-3.1.20-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-02-24 12:28:46 UTC 
mingw-gnutls-3.1.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-02-24 12:35:54 UTC 
mingw-gnutls-3.1.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2014-03-03 10:11:35 UTC 
As mentioned in comment 11, this problem was introduced in upstream version 2.11.5.  Therefore this did not affect gnutls packages as shipped with Red Hat Enterprise Linux 5 and 6.

However, GnuTLS versions before 2.7.6 contained a different bug that had similar effect of making GnuTLS accept version 1 certificates as valid intermediate CA certificates when using default verification flags.  That issue was assigned a different id CVE-2009-5138 and is tracked via bug 1069301.

Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6.
Note You need to log in before you can comment on or make changes to this bug.