Bug 498423 - (CVE-2009-1415) CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1]
CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain erro...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://article.gmane.org/gmane.comp.e...
source=vendorsec,reported=20090423,pu...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-30 08:41 EDT by Tomas Hoger
Modified: 2009-09-18 15:57 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-18 15:57:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-04-30 08:41:43 EDT
Quoting upstream security advisory:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515

  Miroslav Kratochvil reported that he was able to crash libgnutls
  when experimenting with (corrupt) DSA keys.  The client crashes when
  verifying invalid DSA signatures provided by the remote server when
  using a DSA ciphersuite.  The code that crashes is also used for
  verifying DSA signatures in X.509 Certificates, and for verifying
  RSA/DSA signatures in OpenPGP keys.

  Only GnuTLS 2.6.x is affected.  GnuTLS 2.4.x and earlier did not
  contain the buggy code.

Fixed upstream in 2.6.6:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3514
Comment 1 Tomas Hoger 2009-04-30 08:48:32 EDT
This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5, and Fedora up to version 10, as they are based on upstream versions prior to 2.6.  gnutls 2.6.x is currently in F11/Rawhide, mingw32-gnutls based on upstream 2.6.x version is in F10 too.
Comment 2 Vincent Danen 2009-05-01 12:52:50 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1415 to
the following vulnerability:

Name: CVE-2009-1415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
Assigned: 20090424
Reference: MLIST:[gnutls-devel] 20090423 Re: some crashes on using DSA keys
Reference: URL: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3502
Reference: MLIST:[gnutls-devel] 20090430 Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1] [CVE-2009-1415]
Reference: URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515
Reference: CONFIRM: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488
Reference: SECUNIA:34842
Reference: URL: http://secunia.com/advisories/34842

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
properly handle invalid DSA signatures, which allows remote attackers
to cause a denial of service (application crash) and possibly have
unspecified other impact via a malformed DSA key that triggers a (1)
free of an uninitialized pointer or (2) double free.
Comment 3 Vincent Danen 2009-09-18 15:57:30 EDT
Fedora 11 contains gnutls-2.6.6-1.fc11 so there is nothing actually vulnerable to this issue.

Note You need to log in before you can comment on or make changes to this bug.