Bug 591188 - Please apply fix for GNUTLS-SA-2006-2.
Please apply fix for GNUTLS-SA-2006-2.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnutls (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: Security
Depends On:
Blocks: CVE-2006-7239
  Show dependency treegraph
 
Reported: 2010-05-11 11:56 EDT by Enrico Scholz
Modified: 2012-03-15 06:59 EDT (History)
1 user (show)

See Also:
Fixed In Version: gnutls-1.4.1-7.el5_8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-15 06:59:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2010-05-11 11:56:17 EDT
Description of problem:

While verifying client certificates with sha512 hashes I get segfaults like

==7286== Invalid read of size 1
==7286==    at 0x4A06794: strcmp (mc_replace_strmem.c:341)
==7286==    by 0x4C309C5: _gnutls_x509_oid2mac_algorithm (gnutls_algorithms.c:573)
==7286==    by 0x4C5830A: verify_sig (verify.c:498)
==7286==    by 0x4C5850D: _gnutls_x509_verify_signature (verify.c:696)
==7286==    by 0x4C58D37: _gnutls_verify_certificate2 (verify.c:295)
==7286==    by 0x4C5911F: gnutls_x509_crt_list_verify (verify.c:401)
==7286==    by 0x4C470AB: _gnutls_x509_cert_verify_peers (gnutls_x509.c:179)
==7286==    by 0x402DAA: ssl_server (ssl-server.c:520)
==7286==    by 0x403C77: main (ssl-server.c:820)
==7286==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==7286== 
==7286== Process terminating with default action of signal 11 (SIGSEGV)
==7286==  Access not within mapped region at address 0x0
==7286==    at 0x4A06794: strcmp (mc_replace_strmem.c:341)
==7286==    by 0x4C309C5: _gnutls_x509_oid2mac_algorithm (gnutls_algorithms.c:573)
==7286==    by 0x4C5830A: verify_sig (verify.c:498)
==7286==    by 0x4C5850D: _gnutls_x509_verify_signature (verify.c:696)
==7286==    by 0x4C58D37: _gnutls_verify_certificate2 (verify.c:295)
==7286==    by 0x4C5911F: gnutls_x509_crt_list_verify (verify.c:401)
==7286==    by 0x4C470AB: _gnutls_x509_cert_verify_peers (gnutls_x509.c:179)
==7286==    by 0x402DAA: ssl_server (ssl-server.c:520)
==7286==    by 0x403C77: main (ssl-server.c:820)


This issues seems to be described in http://lists.gnupg.org/pipermail/gnutls-dev/2006-August/001190.html and solved in gnutls-1.4.2.

Practically, this allows DOS attacks against gnutls based servers by providing client certificates with unsupported algorithms (e.g. sha256 or sha512).


Version-Release number of selected component (if applicable):


How reproducible:

gnutls-1.4.1-3.el5_4.8
Comment 3 RHEL Product and Program Management 2010-12-07 04:45:42 EST
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.6 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.
Comment 4 Ludek Smid 2011-06-06 05:00:34 EDT
This request was evaluated by Red Hat Product Management for inclusion in Red
Hat Enterprise Linux 5.7 and Red Hat does not plan to fix this issue the
currently developed update.

Contact your manager or support representative in case you need to escalate
this bug.
Comment 5 RHEL Product and Program Management 2012-01-09 09:05:29 EST
This request was evaluated by Red Hat Product Management for inclusion in Red Hat Enterprise Linux 5.8 and Red Hat does not plan to fix this issue the currently developed update.

Contact your manager or support representative in case you need to escalate this bug.

Note You need to log in before you can comment on or make changes to this bug.