Bug 1343505 (CVE-2016-4456) - CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv()
Summary: CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via ...
Alias: CVE-2016-4456
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 1343342 (view as bug list)
Depends On: 1343508
TreeView+ depends on / blocked
Reported: 2016-06-07 12:00 UTC by Adam Mariš
Modified: 2021-02-17 03:45 UTC (History)
19 users (show)

Fixed In Version: gnutls 3.4.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-09-13 12:40:42 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-06-07 12:00:20 UTC
It was reported that gnutls 3.4.12 uses an environment variable (GNUTLS_KEYLOGFILE) to write the keys of the running sessions. This variable is obtained insecurely via getenv(), meaning that any set-uid program using gnutls can be used to overwrite any file on the filesystem.

Upstream patch:


External References:


Comment 1 Adam Mariš 2016-06-07 12:00:39 UTC

Name: Nikos Mavrogiannopoulos (Red Hat)

Comment 2 Adam Mariš 2016-06-07 12:01:01 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-23 [bug 1343508]

Comment 3 Adam Mariš 2016-06-07 12:01:38 UTC
*** Bug 1343342 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2016-06-08 22:52:31 UTC
gnutls-3.4.13-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-06-18 18:39:22 UTC
gnutls-3.4.13-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2018-09-13 07:53:40 UTC
Quoting more detailed description from the upstream advisory:

Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.


Comment 10 Tomas Hoger 2018-09-13 12:40:42 UTC
Note that changes to use secure_getenv() instead of getenv() were also applied to GnuTLS 3.3 in version 3.3.24:


Those changes are not believed to have any security impact.

Note You need to log in before you can comment on or make changes to this bug.