A flaw was reported [1] in the GnuTLS gnutls_session_get_data() function, which could overflow a too-short buffer parameter allocated by the caller. The test which was to avoid such buffer overflows was not working. A malicious server could use this flaw in a vulnerable client to send a larger SessionTicket in the hope of overflowing the client. Upstream has indicated that they are unaware of any client software that does not properly use the session resumption functions; clients that perform session resumption as documented [2] are not vulnerable. [1] http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5596 [2] http://www.gnu.org/s/gnutls/manual/html_node/Client-with-Resume-capability-example.html#Client-with-Resume-capability-example
Upstream git commits to correct the flaw: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=190cef6eed37d0e73a73c1e205eb31d45ab60a3c http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=e82ef4545e9e98cbcb032f55d7c750b81e3a0450 This is corrected in upstream 2.12.14 and 3.0.7.
This has been assigned the name CVE-2011-4128.
This issue affects the version of gnutls as shipped with Fedora 14, 15 and 16.
Created gnutls tracking bugs for this issue Affects: fedora-all [bug 752703]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0429 https://rhn.redhat.com/errata/RHSA-2012-0429.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0428 https://rhn.redhat.com/errata/RHSA-2012-0428.html
Statement: This issue does not affect the version of gnutls as shipped with Red Hat Enterprise Linux 4.
gnutls-2.10.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.