Bug 14527

Summary: gnutls new security issue CVE-2014-8564
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/619816/
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA4-64-OK advisory
Source RPM: gnutls-3.2.7-1.3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-13 15:53:45 CET 
RedHat has issued an advisory on November 12:
https://rhn.redhat.com/errata/RHSA-2014-1846.html

Freeze push request sent for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR). A malicious user could create a specially crafted
ECC certificate or a certificate signing request that, when processed by an
application compiled against GnuTLS (for example, certtool), could cause
that application to crash or execute arbitrary code with the permissions of
the user running the application (CVE-2014-8564).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564
http://www.gnutls.org/security.html#GNUTLS-SA-2014-5
https://rhn.redhat.com/errata/RHSA-2014-1846.html
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.4.mga3
libgnutls28-3.1.16-1.4.mga3
libgnutls-ssl27-3.1.16-1.4.mga3
libgnutls-xssl0-3.1.16-1.4.mga3
libgnutls-devel-3.1.16-1.4.mga3
gnutls-3.2.7-1.4.mga4
libgnutls28-3.2.7-1.4.mga4
libgnutls-ssl27-3.2.7-1.4.mga4
libgnutls-xssl0-3.2.7-1.4.mga4
libgnutls-devel-3.2.7-1.4.mga4

from SRPMS:
gnutls-3.1.16-1.4.mga3.src.rpm
gnutls-3.2.7-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-13 15:53:51 CET

Whiteboard: (none) => MGA3TOO

Comment 1 William Kenney 2014-11-13 19:33:14 CET 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27

default install of gnutls & libgnutls-ssl27

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.3.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls & libgnutls-ssl27 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.4.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 2 William Kenney 2014-11-13 19:53:52 CET 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.3.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.4.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.......

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-11-13 19:56:02 CET

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 3 RĂ©mi Verschelde 2014-11-14 12:07:51 CET 
Advisory uploaded.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK advisory

Comment 4 David Walser 2014-11-14 16:10:39 CET 
Thanks for the testing hit William.

I have a local HTTPS webserver with our own cacert that we use, so using a local copy of that cacert file, I did something like this:

gnutls-cli --x509cafile=cacert.pem lms.example.net

and then after it verified the cert I typed:

GET / HTTP/1.0


(with two hard returns after) and it printed the contents of the index page.  It always finishes with:
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.

I'm not sure why, but it's not a regression.

Unfortunately gnutls-cli doesn't respect the proxy environment variables, so I can't test it against www.mageia.org from here, but it should already be signed by a trusted CA, so the command William used plus the GET string I showed should be enough to get Mageia.org's index page successfully.

Testing complete Mageia 3 i586.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory

Comment 5 William Kenney 2014-11-14 16:34:40 CET 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27 libgnutls28

default install of gnutls libgnutls-ssl27 & libgnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.1.16-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.1.16-1.3.mga3.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.4.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.1.16-1.4.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.1.16-1.4.mga3.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:........

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-11-14 16:52:07 CET 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.1.16-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.1.16-1.3.mga3.x86_64 is already installed

[wilcal@localhost ~]$ gnutls-cli google.com
Processed 198 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4000:800::1005:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:........

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.4.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.1.16-1.4.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.1.16-1.4.mga3.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli google.com
Processed 198 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4000:809::1001:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:........

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-11-14 16:53:43 CET 
This update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2014-11-15 19:32:36 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0458.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED