Bug 2269084 (CVE-2024-28835) - CVE-2024-28835 gnutls: potential crash during chain building/verification
Summary: CVE-2024-28835 gnutls: potential crash during chain building/verification
Status: NEW
Alias: CVE-2024-28835
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2270594
Blocks: 2269079
TreeView+ depends on / blocked
Reported: 2024-03-11 23:29 UTC by Robb Gatica
Modified: 2024-05-20 17:07 UTC (History)
37 users (show)

Fixed In Version: gnutls-3.8.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2640 0 None None None 2024-05-01 06:23:09 UTC
Red Hat Product Errata RHBA-2024:2684 0 None None None 2024-05-02 22:23:23 UTC
Red Hat Product Errata RHBA-2024:2715 0 None None None 2024-05-06 19:55:20 UTC
Red Hat Product Errata RHSA-2024:1879 0 None None None 2024-04-18 02:18:45 UTC
Red Hat Product Errata RHSA-2024:2570 0 None None None 2024-04-30 14:40:51 UTC
Red Hat Product Errata RHSA-2024:2889 0 None None None 2024-05-16 18:14:04 UTC

Description Robb Gatica 2024-03-11 23:29:54 UTC
Embargoed issue as reported at https://gitlab.com/gnutls/gnutls/-/issues/1525  
(duplicate - https://gitlab.com/gnutls/gnutls/-/issues/1527)


Description of problem:
I'm reporting a crash observed during chain building/verification. I've turned into a reproducer (not minimal yet, but reliably crashes for me), which I'm attaching to this issue.

As additional context: this reproducer comes from Netflix's BetterTLS (github.com/Netflix/bettertls) project; specifically, it's test case 61 in their "path validation" suite. As such, it's already public on the Internet. However, nobody appears to have run BetterTLS against a recent version of GnuTLS, so I'm filing this as a private issue for triage.

Version of gnutls used:
This crash has been observed on GnuTLS 3.8.3, via certtool. I'm using the Homebrew distribution of GnuTLS 3.8.3: https://formulae.brew.sh/formula/gnutls#default

How reproducible:
I'm attaching a reproducer in the form of a PEM bundle

Steps to Reproduce:
certtool --verify-chain --infile bug.pem

Expected results:
I expected a normal program exit, with an exit code of 1 or 0.

Actual results:
The program crashes with SIGTRAP, which is probably just because macOS catches the SIGSEGV for triage.

Observed output:
Note that no verification profile was selected. In the future the medium profile will be enabled by default.Use --verify-profile low to
apply the default verification of NORMAL priority string.|<1>| There was a non-CA certificate in the trusted list: O=bettertls.com,CN=D,serialNumber=9d9b1ac3-6af5-47f2-9cdb-2201652648a0.Trace/BPT
trap: 5

Comment 3 Sandipan Roy 2024-03-21 05:31:54 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 2270594]

Comment 5 errata-xmlrpc 2024-04-18 02:18:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1879 https://access.redhat.com/errata/RHSA-2024:1879

Comment 6 errata-xmlrpc 2024-04-30 14:40:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2570 https://access.redhat.com/errata/RHSA-2024:2570

Comment 7 errata-xmlrpc 2024-05-16 18:14:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2889 https://access.redhat.com/errata/RHSA-2024:2889

Note You need to log in before you can comment on or make changes to this bug.