Bug 504791 - Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-2009-3 / CVE-2009-1417)
Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
http://article.gmane.org/gmane.comp.e...
: Security
Depends On:
Blocks: CVE-2009-1417
  Show dependency treegraph
 
Reported: 2009-06-09 09:38 EDT by g.trentalancia
Modified: 2009-06-09 13:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-09 10:14:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patched source RPM package (4.79 MB, application/x-rpm)
2009-06-09 09:38 EDT, g.trentalancia
no flags Details
Patched source RPM package (fix CVE/bug number) (4.79 MB, application/x-rpm)
2009-06-09 10:30 EDT, g.trentalancia
no flags Details
Final patched source RPM package (4.79 MB, application/x-rpm)
2009-06-09 13:55 EDT, g.trentalancia
no flags Details

  None (edit)
Description g.trentalancia 2009-06-09 09:38:08 EDT
Created attachment 347024 [details]
Patched source RPM package

Description of problem:
GnuTLS applications (such as gnutls-cli) do not check the activation and expiration dates of X.509 certificates.

Version-Release number of selected component (if applicable):
2.4.2-3

How reproducible:
Use function _gnutls_x509_verify_certificate (in lib/x509/verify.c in libgnutls_x509). Such function is used by at least the following applications: (a) Exim, (b) OpenLDAP, and (c) libsoup

Steps to Reproduce:
1. Use function _gnutls_x509_verify_certificate on expired X.509 certificates
2. Or, use gnutls-cli on expired X.509 certificates
3. Example certificate for testing: expired.demo.gnutls.org
  
Actual results:
Expired certificates are accepted

Expected results:
Expired certificates should not be accepted

Additional info:
For full report, see http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/351

CVE report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417

A patch has been proposed in the above mentioned report and has been included in the attached SRPM (gnutls-2.4.2-4.fc10.src.rpm).
Comment 1 Tomas Hoger 2009-06-09 10:01:23 EDT
Fixing summary (wrong CVE/upstream advisory id), adding block on bug tracking this, removing visibility restrictions (no point in creating private bugs for public issues).  Tomas, I'll let you explain why changing this during the distribution lifetime is not the best idea.

At least it seems applications have no easy way to cope with new error status code introduced by the patch.
Comment 2 Tomas Mraz 2009-06-09 10:14:24 EDT
Most applications which do not do expiration checking on their own would probably fail when expired certificate is encountered with some general certificate verification error. The severity of the issue is low and it is fixed in the Fedora 11 package.
Comment 3 g.trentalancia 2009-06-09 10:30:01 EDT
Created attachment 347033 [details]
Patched source RPM package (fix CVE/bug number)

Fix incorrect CVE/bug number (correct reference is GNUTLS-SA-2009-3 / CVE-2009-1417).
Comment 4 g.trentalancia 2009-06-09 13:55:05 EDT
Created attachment 347067 [details]
Final patched source RPM package

The patch provided by Simon, apparently does not resolve the issue properly, because the function might return before the check on activation/expiration date is carried out.

It would be better if the function only returns at the end, after all checks (including the new check on activation/expiration) have been carried out.

The new attachment reflects the above considerations.

Because the certificate is also marked with the flag INVALID (which has already been used in other conditions), then applications that are not aware of the new check/flag, should still be able to detect the INVALID flag.

Fedora 11 is not affected because uses version 2.6.6 of gnutls. Obviously, upgrading also Fedora 10 to gnutls version 2.6.6 is a better solution...

Note You need to log in before you can comment on or make changes to this bug.