gnutls-3.3.9-2.fc21.x86_64 $ valgrind --leak-check=full gnutls-cli www.facebook.com 443 < /dev/null ==27098== Memcheck, a memory error detector ==27098== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==27098== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==27098== Command: gnutls-cli www.facebook.com 443 ==27098== Processed 236 CA certificate(s). Resolving 'www.facebook.com'... Connecting to '2a03:2880:2110:cf07:face:b00c:0:1:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=CA,L=Menlo Park,O=Facebook\, Inc.,CN=*.facebook.com', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', EC key 256 bits, signed using RSA-SHA1, activated `2014-08-28 00:00:00 UTC', expires `2015-10-28 12:00:00 UTC', SHA-1 fingerprint `45bfee628eec0ba06dfb860c865ffdb71502a541' Public Key ID: b686761919d18c2f4fe55554742a4eac51fc95f4 Public key's random art: +--[ EC 256]----+ | .+ .. .=O| | ..ooo .o+| | ...o+o..E| | .oo=... | | S+. . | | o +. | | o = | | . o | | | +-----------------+ - Certificate[1] info: - subject `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance CA-3', issuer `C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-04-02 12:00:00 UTC', expires `2022-04-03 00:00:00 UTC', SHA-1 fingerprint `42857855fb0ea43f54c9911e30e7791d8ce82705' ==27098== Conditional jump or move depends on uninitialised value(s) ==27098== at 0x31C086C9B3: _gnutls_copy_data (common.c:1898) ==27098== by 0x31C0890722: gnutls_x509_crt_get_subject_key_id (x509.c:838) ==27098== by 0x31C086CCAB: _gnutls_check_valid_key_id (common.c:1982) ==27098== by 0x31C085C109: check_found_cert (pkcs11.c:3124) ==27098== by 0x31C085C109: find_cert_cb (pkcs11.c:3308) ==27098== by 0x31C08602BD: _pkcs11_traverse_tokens (pkcs11.c:1162) ==27098== by 0x31C0861180: gnutls_pkcs11_get_raw_issuer (pkcs11.c:3435) ==27098== by 0x31C088ED24: _gnutls_pkcs11_verify_crt_status (verify.c:1128) ==27098== by 0x31C08998FB: gnutls_x509_trust_list_verify_crt2 (verify-high.c:952) ==27098== by 0x31C084CB6B: _gnutls_x509_cert_verify_peers (gnutls_x509.c:296) ==27098== by 0x409808: cert_verify (common.c:325) ==27098== by 0x4085E3: cert_verify_callback (cli.c:400) ==27098== by 0x31C082E67B: run_verify_callback (gnutls_handshake.c:2649) ==27098== - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-128-CBC)-(SHA1) - Session ID: E5:53:2A:10:36:CD:BE:FC:B0:F2:82:12:0A:FC:7A:A2:C4:83:37:D7:BA:14:5B:62:36:6E:E5:56:AF:BA:F1:54 - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-ECDSA - Server Signature: ECDSA-SHA256 - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed - Simple Client Mode: ==27098== ==27098== HEAP SUMMARY: ==27098== in use at exit: 3,923,965 bytes in 38,440 blocks ==27098== total heap usage: 261,486 allocs, 223,046 frees, 34,018,442 bytes allocated ==27098== ==27098== 294 bytes in 1 blocks are definitely lost in loss record 150 of 277 ==27098== at 0x4A06BCF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==27098== by 0x31C0865D10: pkcs11_get_attribute_avalue (pkcs11_int.c:134) ==27098== by 0x31C085BFDE: find_cert_cb (pkcs11.c:3316) ==27098== by 0x31C08602BD: _pkcs11_traverse_tokens (pkcs11.c:1162) ==27098== by 0x31C0861180: gnutls_pkcs11_get_raw_issuer (pkcs11.c:3435) ==27098== by 0x31C088ED24: _gnutls_pkcs11_verify_crt_status (verify.c:1128) ==27098== by 0x31C08998FB: gnutls_x509_trust_list_verify_crt2 (verify-high.c:952) ==27098== by 0x31C084CB6B: _gnutls_x509_cert_verify_peers (gnutls_x509.c:296) ==27098== by 0x409808: cert_verify (common.c:325) ==27098== by 0x4085E3: cert_verify_callback (cli.c:400) ==27098== by 0x31C082E67B: run_verify_callback (gnutls_handshake.c:2649) ==27098== by 0x31C0832D83: handshake_client (gnutls_handshake.c:2743) ==27098== by 0x31C0832D83: gnutls_handshake (gnutls_handshake.c:2553) ==27098== ==27098== LEAK SUMMARY: ==27098== definitely lost: 294 bytes in 1 blocks ==27098== indirectly lost: 0 bytes in 0 blocks ==27098== possibly lost: 0 bytes in 0 blocks ==27098== still reachable: 3,923,671 bytes in 38,439 blocks ==27098== suppressed: 0 bytes in 0 blocks ==27098== Reachable blocks (those to which a pointer was found) are not shown. ==27098== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==27098== ==27098== For counts of detected and suppressed errors, rerun with: -v ==27098== Use --track-origins=yes to see where uninitialised values come from ==27098== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Upstream patch solving the issue: https://gitorious.org/gnutls/gnutls/commit/02bea708d26266c0b8526badcb86bf207741ade7
gnutls-3.3.10-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/gnutls-3.3.10-1.fc21
Package gnutls-3.3.10-1.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.3.10-1.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-14734/gnutls-3.3.10-1.fc21 then log in and leave karma (feedback).
gnutls-3.3.10-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.