Red Hat Bugzilla – Bug 504791
Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-2009-3 / CVE-2009-1417)
Last modified: 2009-06-09 13:55:05 EDT
Created attachment 347024 [details]
Patched source RPM package
Description of problem:
GnuTLS applications (such as gnutls-cli) do not check the activation and expiration dates of X.509 certificates.
Version-Release number of selected component (if applicable):
Use function _gnutls_x509_verify_certificate (in lib/x509/verify.c in libgnutls_x509). Such function is used by at least the following applications: (a) Exim, (b) OpenLDAP, and (c) libsoup
Steps to Reproduce:
1. Use function _gnutls_x509_verify_certificate on expired X.509 certificates
2. Or, use gnutls-cli on expired X.509 certificates
3. Example certificate for testing: expired.demo.gnutls.org
Expired certificates are accepted
Expired certificates should not be accepted
For full report, see http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/351
CVE report: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417
A patch has been proposed in the above mentioned report and has been included in the attached SRPM (gnutls-2.4.2-4.fc10.src.rpm).
Fixing summary (wrong CVE/upstream advisory id), adding block on bug tracking this, removing visibility restrictions (no point in creating private bugs for public issues). Tomas, I'll let you explain why changing this during the distribution lifetime is not the best idea.
At least it seems applications have no easy way to cope with new error status code introduced by the patch.
Most applications which do not do expiration checking on their own would probably fail when expired certificate is encountered with some general certificate verification error. The severity of the issue is low and it is fixed in the Fedora 11 package.
Created attachment 347033 [details]
Patched source RPM package (fix CVE/bug number)
Fix incorrect CVE/bug number (correct reference is GNUTLS-SA-2009-3 / CVE-2009-1417).
Created attachment 347067 [details]
Final patched source RPM package
The patch provided by Simon, apparently does not resolve the issue properly, because the function might return before the check on activation/expiration date is carried out.
It would be better if the function only returns at the end, after all checks (including the new check on activation/expiration) have been carried out.
The new attachment reflects the above considerations.
Because the certificate is also marked with the flag INVALID (which has already been used in other conditions), then applications that are not aware of the new check/flag, should still be able to detect the INVALID flag.
Fedora 11 is not affected because uses version 2.6.6 of gnutls. Obviously, upgrading also Fedora 10 to gnutls version 2.6.6 is a better solution...