Red Hat Bugzilla – Bug 498423
CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1]
Last modified: 2009-09-18 15:57:30 EDT
Quoting upstream security advisory:
Miroslav Kratochvil reported that he was able to crash libgnutls
when experimenting with (corrupt) DSA keys. The client crashes when
verifying invalid DSA signatures provided by the remote server when
using a DSA ciphersuite. The code that crashes is also used for
verifying DSA signatures in X.509 Certificates, and for verifying
RSA/DSA signatures in OpenPGP keys.
Only GnuTLS 2.6.x is affected. GnuTLS 2.4.x and earlier did not
contain the buggy code.
Fixed upstream in 2.6.6:
This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5, and Fedora up to version 10, as they are based on upstream versions prior to 2.6. gnutls 2.6.x is currently in F11/Rawhide, mingw32-gnutls based on upstream 2.6.x version is in F10 too.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1415 to
the following vulnerability:
Reference: MLIST:[gnutls-devel] 20090423 Re: some crashes on using DSA keys
Reference: URL: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3502
Reference: MLIST:[gnutls-devel] 20090430 Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1] [CVE-2009-1415]
Reference: URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515
Reference: CONFIRM: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488
Reference: URL: http://secunia.com/advisories/34842
lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
properly handle invalid DSA signatures, which allows remote attackers
to cause a denial of service (application crash) and possibly have
unspecified other impact via a malformed DSA key that triggers a (1)
free of an uninitialized pointer or (2) double free.
Fedora 11 contains gnutls-2.6.6-1.fc11 so there is nothing actually vulnerable to this issue.