Bug 573028 (CVE-2010-0731) - CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]
Summary: CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding fr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0731
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 565562 565563 572549
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-12 16:16 UTC by Tomas Hoger
Modified: 2019-09-29 12:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-25 10:49:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0167 0 normal SHIPPED_LIVE Moderate: gnutls security update 2010-03-25 10:38:43 UTC

Description Tomas Hoger 2010-03-12 16:16:28 UTC 
During the testing of GnuTLS updates, a flaw was discovered affecting Red Hat Enterprise Linux 4 GnuTLS packages on s390x platform, causing gnutls-cli to crash while printing server certificate info.

This crash was caused by a flaw in gnutls_x509_crt_get_serial(), which calls asn1_read_value() to extract serial number from the x509 certificate.

(lib/x509/x509.c)
 526 int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result,
 527     size_t* result_size)
 528 {
 ...
 536     if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) {

asn1_read_value() expects pointer to int (32 bit) as its third argument, but gnutls_x509_crt_get_serial() passed pointer to size_t (64 bit on 64 bit platforms) instead.  On 64bit big endian platforms asn1_read_value() got incorrect length value.

(lib/minitasn1/element.c)
 598 asn1_retCode
 599 asn1_read_value(node_asn *root,const char *name,void* ivalue, int *len)

On little endian 64 bit platforms, high 32 bits of the *result_size size_t value were lost, but they only contained zeros.  On big endian 64 bit platforms, low 32 bits were lost / ignored, causing asn1_read_value() to see length value as 0.  This caused asn1_read_value() to return an error, but the length of the value that should have been extracted was saved to *len.

gnutls_x509_crt_get_serial() did not correctly check return value of asn1_read_value(), failing to detect an error.  After returning, caller could see a high value stored in *result_size (when interpreted as 64 bit value again).

print_x509_info() (used by gnutls-cli or gnutls-serv) and print_certificate_info() (used by certtool) relied on the returned size value.  Unexpected value caused a stack buffer overflow in those functions.

This bug could also cause gnutls_x509_crt_check_revocation() to incorrectly check supplied X509 certificate against the list of revoked certificates, resulting in a bypass or the CRL check.

This issue was fixed upstream via following commit:
  http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d

This fix was first included in upstream version 1.2.1.  Therefore, GnuTLS packages in Red Hat Enterprise Linux 5, Fedora, and current upstream GnuTLS versions are not affected by this flaw.
Comment 2 Tomas Hoger 2010-03-25 07:57:43 UTC 
Making bug public.
Comment 3 Tomas Hoger 2010-03-25 08:26:53 UTC 
GnuTLS upstream is tracking this as GNUTLS-SA-2010-1:
  http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230
Comment 4 errata-xmlrpc 2010-03-25 10:38:58 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0167 https://rhn.redhat.com/errata/RHSA-2010-0167.html
Note You need to log in before you can comment on or make changes to this bug.