498423 – (CVE-2009-1415) CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1]

Bug 498423 (CVE-2009-1415) - CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1]

Summary: CVE-2009-1415 gnutls: Double free and free of invalid pointer on certain erro...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2009-1415
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://article.gmane.org/gmane.comp.e...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-30 12:41 UTC by Tomas Hoger
Modified:	2021-11-12 19:57 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-09-18 19:57:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2009-04-30 12:41:43 UTC

Quoting upstream security advisory:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515

  Miroslav Kratochvil reported that he was able to crash libgnutls
  when experimenting with (corrupt) DSA keys.  The client crashes when
  verifying invalid DSA signatures provided by the remote server when
  using a DSA ciphersuite.  The code that crashes is also used for
  verifying DSA signatures in X.509 Certificates, and for verifying
  RSA/DSA signatures in OpenPGP keys.

  Only GnuTLS 2.6.x is affected.  GnuTLS 2.4.x and earlier did not
  contain the buggy code.

Fixed upstream in 2.6.6:
  http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3514

Comment 1 Tomas Hoger 2009-04-30 12:48:32 UTC

This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5, and Fedora up to version 10, as they are based on upstream versions prior to 2.6.  gnutls 2.6.x is currently in F11/Rawhide, mingw32-gnutls based on upstream 2.6.x version is in F10 too.

Comment 2 Vincent Danen 2009-05-01 16:52:50 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1415 to
the following vulnerability:

Name: CVE-2009-1415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
Assigned: 20090424
Reference: MLIST:[gnutls-devel] 20090423 Re: some crashes on using DSA keys
Reference: URL: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3502
Reference: MLIST:[gnutls-devel] 20090430 Double free and free of invalid pointer on certain errors [GNUTLS-SA-2009-1] [CVE-2009-1415]
Reference: URL: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515
Reference: CONFIRM: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488
Reference: SECUNIA:34842
Reference: URL: http://secunia.com/advisories/34842

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
properly handle invalid DSA signatures, which allows remote attackers
to cause a denial of service (application crash) and possibly have
unspecified other impact via a malformed DSA key that triggers a (1)
free of an uninitialized pointer or (2) double free.

Comment 3 Vincent Danen 2009-09-18 19:57:30 UTC

Fedora 11 contains gnutls-2.6.6-1.fc11 so there is nothing actually vulnerable to this issue.

Note You need to log in before you can comment on or make changes to this bug.