Bug 13457

Summary: gnutls new security issues CVE-2014-3465 and CVE-2014-3466
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: arnaud, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/601058/
Whiteboard: MGA3TOO advisory mga3-32-ok MGA4-64-OK MGA3-64-OK MGA4-32-OK
Source RPM: gnutls-3.2.7-1.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-30 17:08:48 CEST 
Security issues fixed upstream in gnutls have been made public today (May 30):
http://openwall.com/lists/oss-security/2014/05/30/2

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated gnutls packages fix security vulnerabilities:

A NULL pointer dereference flaw was discovered in GnuTLS's
gnutls_x509_dn_oid_name().  The function, when called with the
GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller.
However, it could previously return NULL when parsed X.509 certificates
included specific OIDs (CVE-2014-3465).

A flaw was found in the way GnuTLS parsed session ids from Server Hello
packets of the TLS/SSL handshake.  A malicious server could use this flaw to
send an excessively long session id value and trigger a buffer overflow in a
connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly,
execute arbitrary code (CVE-2014-3466).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3465
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3466
http://www.gnutls.org/security.html#GNUTLS-SA-2014-3
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.3.mga3
libgnutls28-3.1.16-1.3.mga3
libgnutls-ssl27-3.1.16-1.3.mga3
libgnutls-xssl0-3.1.16-1.3.mga3
libgnutls-devel-3.1.16-1.3.mga3
gnutls-3.2.7-1.3.mga4
libgnutls28-3.2.7-1.3.mga4
libgnutls-ssl27-3.2.7-1.3.mga4
libgnutls-xssl0-3.2.7-1.3.mga4
libgnutls-devel-3.2.7-1.3.mga4

from SRPMS:
gnutls-3.1.16-1.3.mga3.src.rpm
gnutls-3.2.7-1.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-05-30 17:10:18 CEST 
PoC for CVE-2014-3466:
https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c

Download that file and save as long-session-id.c.  Make sure you have libgnutls-devel installed.  Compile as follows:
gcc -o long-session-id long-session-id.c -lgnutls

Then execute the binary:
./long-session-id

If vulnerable, you get "Child died with sigsegv"

Whiteboard: (none) => MGA3TOO

Comment 2 Arnaud Vacquier 2014-05-31 20:50:03 CEST 
Hi,

I try to compilebut i have an error :



# urpmi gnutls


    $MIRRORLIST: media/core/updates/gnutls-3.2.7-1.2.mga4.x86_64.rpm
installation de gnutls-3.2.7-1.2.mga4.x86_64.rpm depuis /var/cache/urpmi/rpms                                                                               
Préparation...                   ##########################################################################################################################
      1/1: gnutls                ##########################################################################################################################


# LC_ALL=C gcc -o long-session-id long-session-id.c -lgnutls
long-session-id.c:46:27: fatal error: gnutls/gnutls.h: No such file or directory
 #include <gnutls/gnutls.h>
                           ^
compilation terminated.

CC: (none) => aranud

Comment 3 Thomas Backlund 2014-05-31 20:55:44 CEST 
For that to work you need to install gnutls-devel

CC: (none) => tmb

Comment 4 Arnaud Vacquier 2014-05-31 20:57:49 CEST 
Oups sorry, i haven't see to install the devel... :/

Before update :

# LC_ALL=C  ./long-session-id
memory was overwritten
Child died with sigsegv

After :
# urpmi gnutls
Le paquetage gnutls-3.2.7-1.3.mga4.x86_64 est déjà installé
# LC_ALL=C  ./long-session-id
client: Handshake failed (expected)
GnuTLS error: A record packet with illegal version was received.

So fail, i try to recompile but it is same.
Comment 5 Thomas Backlund 2014-05-31 21:05:22 CEST 
No, the fix worked.

before you got:
memory was overwritten

- overwriting memory is always bad.

and:
Child died with sigsegv

- here it crashed



after you got:
client: Handshake failed (expected)

- this confirms it refused the broken handshake

and:
GnuTLS error: A record packet with illegal version was received.

- this is gnutls informing about an illegal attempt that it ignores
Comment 6 Arnaud Vacquier 2014-05-31 21:19:05 CEST 
Ok so, Mageia 3+4 x86_64 are ok :

Before :
# LC_ALL=C gcc -o long-session-id long-session-id.c -lgnutls
# ./long-session-id
memory was overwritten
Child died with sigsegv
# urpmi gnutls
Le paquetage gnutls-3.1.16-1.2.mga3.x86_64 est déjà installé

After :
# urpmi gnutls
Le paquetage gnutls-3.1.16-1.3.mga3.x86_64 est déjà installé
# ./long-session-id
client: Handshake failed (expected)
GnuTLS error: A record packet with illegal version was received.

Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK MGA3-64-OK

Comment 7 Arnaud Vacquier 2014-06-01 00:19:08 CEST 
In VT for Mageia 4 i586 ok :

$ wget https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c
--2014-06-01 00:09:24--  https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c
Résolution de www.gitorious.org (www.gitorious.org)... 87.238.52.168, 2a02:c0:1014::1
Connexion vers www.gitorious.org (www.gitorious.org)|87.238.52.168|:443...connecté.
requête HTTP transmise, en attente de la réponse...200 OK
Longueur: 6927 (6,8K) [text/plain]
Sauvegarde en : «long-session-id.c»

100%[======================================>] 6 927       --.-K/s   ds 0s      

2014-06-01 00:09:26 (209 MB/s) - «long-session-id.c» sauvegardé [6927/6927]

[mageia@localhost ~]$ gcc -o long-session-id long-session-id.c -lgnutls
[mageia@localhost ~]$ ./long-session-id
Child died with sigsegv
[mageia@localhost ~]$ su
Mot de passe : 
[root@localhost mageia]# urpmi gnutls
Le paquetage gnutls-3.2.7-1.3.mga4.i586 est déjà installé
[root@localhost mageia]# ./long-session-id
client: Handshake failed (expected)
GnuTLS error: A record packet with illegal version was received.

Whiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA3-64-OK MGA4-32-OK

Comment 8 claire robinson 2014-06-02 14:14:55 CEST 
Testing complete mga3 32. 

Well done Arnaud for the rest.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK MGA4-32-OK => MGA3TOO advisory mga3-32-ok MGA4-64-OK MGA3-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 9 David Walser 2014-06-02 14:20:40 CEST 
gnutls uses libtasn1, so if this has been tested, you could validate Bug 13456 as well.
Comment 10 claire robinson 2014-06-02 14:37:39 CEST 
Forgot this bit!

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 11 claire robinson 2014-06-02 14:43:57 CEST 
Sorry David, cross posted. I think we have a procedure for libtasn1
Comment 12 David Walser 2014-06-02 14:56:03 CEST 
(In reply to claire robinson from comment #11)
> Sorry David, cross posted. I think we have a procedure for libtasn1

Yes you created one for a previous update.  Hopefully we can release these two together.
David Walser 2014-06-02 19:58:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/601058/

Comment 13 Thomas Backlund 2014-06-02 20:50:11 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 David Walser 2014-06-03 18:41:23 CEST 
LWN reference for CVE-2014-3465:
http://lwn.net/Vulnerabilities/601140/