Bug 1343505 – CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv()

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1343505 - (CVE-2016-4456) CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via insecure getenv()

Summary:	CVE-2016-4456 gnutls: Environment variable GNUTLS_KEYLOGFILE is obtained via ...

Status:	CLOSED NOTABUG

Aliases:	CVE-2016-4456

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160606,repor...
Keywords:	Reopened, Security

Duplicates:	1343342 (view as bug list)
Depends On:	1343508
Blocks:
	Show dependency tree / graph

Reported:	2016-06-07 08:00 EDT by Adam Mariš
Modified:	2018-09-13 08:40 EDT (History)
CC List:	20 users (show)

See Also:
Fixed In Version:	gnutls 3.4.13
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-09-13 08:40:42 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2016-06-07 08:00:20 EDT

It was reported that gnutls 3.4.12 uses an environment variable (GNUTLS_KEYLOGFILE) to write the keys of the running sessions. This variable is obtained insecurely via getenv(), meaning that any set-uid program using gnutls can be used to overwrite any file on the filesystem.

Upstream patch:

https://gitlab.com/gnutls/gnutls/compare/fb2a6baef79f4aadfd95e657fe5a18da20a1410e...86076c9b17b9a32b348cafb8b724f57f7da64d58

External References:

http://gnutls.org/security.html#GNUTLS-SA-2016-1

Comment 1 Adam Mariš 2016-06-07 08:00:39 EDT

Acknowledgments:

Name: Nikos Mavrogiannopoulos (Red Hat)

Comment 2 Adam Mariš 2016-06-07 08:01:01 EDT

Created gnutls tracking bugs for this issue:

Affects: fedora-23 [bug 1343508]

Comment 3 Adam Mariš 2016-06-07 08:01:38 EDT

*** Bug 1343342 has been marked as a duplicate of this bug. ***

Comment 4 Fedora Update System 2016-06-08 18:52:31 EDT

gnutls-3.4.13-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-06-18 14:39:22 EDT

gnutls-3.4.13-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2018-09-13 03:53:40 EDT

Quoting more detailed description from the upstream advisory:

"""
Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 with the GNUTLS_KEYLOGFILE environment variable handling via getenv() and fixed in GnuTLS 3.4.13 by switching to secure_getenv() where available. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.
"""

https://www.gnutls.org/security.html#GNUTLS-SA-2016-1

Comment 10 Tomas Hoger 2018-09-13 08:40:42 EDT

Note that changes to use secure_getenv() instead of getenv() were also applied to GnuTLS 3.3 in version 3.3.24:

https://gitlab.com/gnutls/gnutls/commit/b0a3048e56611a2deee4976aeba3b8c0740655a6

Those changes are not believed to have any security impact.

Note You need to log in before you can comment on or make changes to this bug.

alonbl
bmcclain
carnil
cfergeau
dblechte
eedri
erik-fedora
gklein
lsurette
mgoldboi
michal.skrivanek
mike
mprpic
nmavrogi
rh-spice-bugs
rjones
sardella
srevivo
tmraz
ylavi