Bug 1343505 (CVE-2016-4456) - CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv()
Summary: CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via ...
Status: CLOSED NOTABUG
Alias: CVE-2016-4456
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160606,repor...
Keywords: Reopened, Security
: 1343342 (view as bug list)
Depends On: 1343508
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-07 12:00 UTC by Adam Mariš
Modified: 2018-09-13 12:40 UTC (History)
20 users (show)

Fixed In Version: gnutls 3.4.13
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-09-13 12:40:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Adam Mariš 2016-06-07 12:00:20 UTC
It was reported that gnutls 3.4.12 uses an environment variable (GNUTLS_KEYLOGFILE) to write the keys of the running sessions. This variable is obtained insecurely via getenv(), meaning that any set-uid program using gnutls can be used to overwrite any file on the filesystem.

Upstream patch:

https://gitlab.com/gnutls/gnutls/compare/fb2a6baef79f4aadfd95e657fe5a18da20a1410e...86076c9b17b9a32b348cafb8b724f57f7da64d58

External References:

http://gnutls.org/security.html#GNUTLS-SA-2016-1

Comment 1 Adam Mariš 2016-06-07 12:00:39 UTC
Acknowledgments:

Name: Nikos Mavrogiannopoulos (Red Hat)

Comment 2 Adam Mariš 2016-06-07 12:01:01 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-23 [bug 1343508]

Comment 3 Adam Mariš 2016-06-07 12:01:38 UTC
*** Bug 1343342 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2016-06-08 22:52:31 UTC
gnutls-3.4.13-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-06-18 18:39:22 UTC
gnutls-3.4.13-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2018-09-13 07:53:40 UTC
Quoting more detailed description from the upstream advisory:

"""
Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.
"""

https://www.gnutls.org/security.html#GNUTLS-SA-2016-1

Comment 10 Tomas Hoger 2018-09-13 12:40:42 UTC
Note that changes to use secure_getenv() instead of getenv() were also applied to GnuTLS 3.3 in version 3.3.24:

https://gitlab.com/gnutls/gnutls/commit/b0a3048e56611a2deee4976aeba3b8c0740655a6

Those changes are not believed to have any security impact.


Note You need to log in before you can comment on or make changes to this bug.