Bug 573028 - (CVE-2010-0731) CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]
CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding fr...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=redhat,reporte...
: Security
Depends On: 565562 565563 572549
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-12 11:16 EST by Tomas Hoger
Modified: 2010-03-25 06:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-25 06:49:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2010-03-12 11:16:28 EST
During the testing of GnuTLS updates, a flaw was discovered affecting Red Hat Enterprise Linux 4 GnuTLS packages on s390x platform, causing gnutls-cli to crash while printing server certificate info.

This crash was caused by a flaw in gnutls_x509_crt_get_serial(), which calls asn1_read_value() to extract serial number from the x509 certificate.

(lib/x509/x509.c)
 526 int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result,
 527     size_t* result_size)
 528 {
 ...
 536     if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) {

asn1_read_value() expects pointer to int (32 bit) as its third argument, but gnutls_x509_crt_get_serial() passed pointer to size_t (64 bit on 64 bit platforms) instead.  On 64bit big endian platforms asn1_read_value() got incorrect length value.

(lib/minitasn1/element.c)
 598 asn1_retCode
 599 asn1_read_value(node_asn *root,const char *name,void* ivalue, int *len)

On little endian 64 bit platforms, high 32 bits of the *result_size size_t value were lost, but they only contained zeros.  On big endian 64 bit platforms, low 32 bits were lost / ignored, causing asn1_read_value() to see length value as 0.  This caused asn1_read_value() to return an error, but the length of the value that should have been extracted was saved to *len.

gnutls_x509_crt_get_serial() did not correctly check return value of asn1_read_value(), failing to detect an error.  After returning, caller could see a high value stored in *result_size (when interpreted as 64 bit value again).

print_x509_info() (used by gnutls-cli or gnutls-serv) and print_certificate_info() (used by certtool) relied on the returned size value.  Unexpected value caused a stack buffer overflow in those functions.

This bug could also cause gnutls_x509_crt_check_revocation() to incorrectly check supplied X509 certificate against the list of revoked certificates, resulting in a bypass or the CRL check.

This issue was fixed upstream via following commit:
  http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d

This fix was first included in upstream version 1.2.1.  Therefore, GnuTLS packages in Red Hat Enterprise Linux 5, Fedora, and current upstream GnuTLS versions are not affected by this flaw.
Comment 2 Tomas Hoger 2010-03-25 03:57:43 EDT
Making bug public.
Comment 3 Tomas Hoger 2010-03-25 04:26:53 EDT
GnuTLS upstream is tracking this as GNUTLS-SA-2010-1:
  http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230
Comment 4 errata-xmlrpc 2010-03-25 06:38:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0167 https://rhn.redhat.com/errata/RHSA-2010-0167.html

Note You need to log in before you can comment on or make changes to this bug.