Bug 1065092 - (CVE-2014-1959) CVE-2014-1959 gnutls: incorrect handling of V1 intermediate certificates (GNUTLS-SA-2014-1)
CVE-2014-1959 gnutls: incorrect handling of V1 intermediate certificates (GNU...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140212,repor...
: Security
Depends On: 1065094 1065095 1065096 1066849
Blocks: 1065093
  Show dependency treegraph
 
Reported: 2014-02-13 17:14 EST by Vincent Danen
Modified: 2015-10-15 14:14 EDT (History)
12 users (show)

See Also:
Fixed In Version: gnutls 3.1.21, gnutls 3.2.11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-03 05:11:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-02-13 17:14:49 EST
It was reported [1] that a version 1 intermediate certificate would be considered as a CA certificate by GnuTLS by default.  This certificate verification behaviour deviates from the documented behaviour.

Upstream notes that this only affects individuals or organizations who have a CA that issues X.509 version 1 certificates in their trusted list.

This has been fixed upstream [2] in version 3.1.21 and 3.2.11.

At a quick look at the code of GnuTLS 2.8.5, it is affected.  1.4.1 looks affected to me as well.


[1] http://www.gnutls.org/security.html
[2] https://www.gitorious.org/gnutls/gnutls/commit/b1abfe3d18
Comment 1 Vincent Danen 2014-02-13 17:21:52 EST
Created mingw-gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1065096]
Comment 2 Vincent Danen 2014-02-13 17:21:55 EST
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1065094]
Comment 3 Vincent Danen 2014-02-13 17:21:57 EST
Created mingw32-gnutls tracking bugs for this issue:

Affects: epel-5 [bug 1065095]
Comment 4 Nikos Mavrogiannopoulos 2014-02-14 03:33:10 EST
(In reply to Vincent Danen from comment #0)
> At a quick look at the code of GnuTLS 2.8.5, it is affected.  1.4.1 looks
> affected to me as well.

The issue was introduced when v1 root certificates were allowed by default (2.11.5). Thus gnutls 2.8.5 or earlier are not affected since they do not allow X.509 v1 certificates by default.
Comment 5 Tomas Hoger 2014-02-14 08:19:26 EST
Nikos, do you have any certificates that can easily be used to test this?  Possibly something in the upstream test suite you'd recommend looking at?
Comment 6 Nikos Mavrogiannopoulos 2014-02-15 09:41:19 EST
I use the chain:
https://gitorious.org/gnutls/gnutls/source/bd4ba0556de1120adfa1ce10caaeeaead49b323a:tests/chainverify.c#L52

It is a list of 3 certificates with a CA of version 1 as intermediate.
Comment 7 Fedora Update System 2014-02-17 16:09:13 EST
gnutls-3.1.20-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2014-02-21 19:53:10 EST
gnutls-3.1.20-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-02-24 07:28:46 EST
mingw-gnutls-3.1.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-02-24 07:35:54 EST
mingw-gnutls-3.1.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2014-03-03 05:11:35 EST
As mentioned in comment 11, this problem was introduced in upstream version 2.11.5.  Therefore this did not affect gnutls packages as shipped with Red Hat Enterprise Linux 5 and 6.

However, GnuTLS versions before 2.7.6 contained a different bug that had similar effect of making GnuTLS accept version 1 certificates as valid intermediate CA certificates when using default verification flags.  That issue was assigned a different id CVE-2009-5138 and is tracked via bug 1069301.

Statement:

Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6.

Note You need to log in before you can comment on or make changes to this bug.