Bug 15504

It doesn't look like Debian included the test case when they backported the patch for 3.3.x in sid, so maybe the testcase is broken.

I have checked the CVE patch (but not the test) into Mageia 4 and Cauldron SVN.

I found this commit upstream in the 3.2.x branch, which I believe fixes the same issue:
https://gitlab.com/gnutls/gnutls/commit/a8ac245ea13a533b9161f8c3ebd9560fe534a01f

They did not add a test case in 3.2.x.  The test case that was added in 3.3.x still fails.  Maybe there's something about the test case that only works with 3.3.x.

I've checked the patch I found into our SVN, replacing the previous one.

OpenSuSE has a PoC here:
https://bugzilla.suse.com/show_bug.cgi?id=919938

An additional issue has been fixed upstream and designated GNUTLS-SA-2015-2:
http://openwall.com/lists/oss-security/2015/05/05/8

It is not believed to be exploitable.

They didn't check anything into the 3.2.x branch for it, but the patch from master applies with just a minor adjustment.  It also builds fine.

I've checked this patch into Mageia 4 and Cauldron SVN also.

(In reply to David Walser from comment #5)
> An additional issue has been fixed upstream and designated GNUTLS-SA-2015-2:
> http://openwall.com/lists/oss-security/2015/05/05/8
> 
> It is not believed to be exploitable.
> 
> They didn't check anything into the 3.2.x branch for it, but the patch from
> master applies with just a minor adjustment.  It also builds fine.
> 
> I've checked this patch into Mageia 4 and Cauldron SVN also.

LWN reference for this one:
http://lwn.net/Vulnerabilities/644509/

gnutls-3.2.21-3.mga6 uploaded for Cauldron.

The two patches are now checked into Mageia 5 SVN.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3:
http://openwall.com/lists/oss-security/2015/08/10/1

A CVE has been requested for the issue in the message above.

Patched checked into Mageia 4, Mageia 5, and Cauldron SVN.

(In reply to David Walser from comment #8)
> An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3:
> http://openwall.com/lists/oss-security/2015/08/10/1
> 
> A CVE has been requested for the issue in the message above.
> 
> Patched checked into Mageia 4, Mageia 5, and Cauldron SVN.

LWN reference:
http://lwn.net/Vulnerabilities/654283/

Debian has issued an advisory for this on August 12:
https://www.debian.org/security/2015/dsa-3334

(In reply to David Walser from comment #9)
> (In reply to David Walser from comment #8)
> > An additional issue has been fixed upstream and designated GNUTLS-SA-2015-3:
> > http://openwall.com/lists/oss-security/2015/08/10/1
> > 
> > A CVE has been requested for the issue in the message above.
> > 
> > Patched checked into Mageia 4, Mageia 5, and Cauldron SVN.
> 
> LWN reference:
> http://lwn.net/Vulnerabilities/654283/
> 
> Debian has issued an advisory for this on August 12:
> https://www.debian.org/security/2015/dsa-3334

Finally assigned CVE-2015-6251:
http://openwall.com/lists/oss-security/2015/08/17/6

GNUTLS-SA-2015-2 will apparently not be receiving a CVE.

There are apparently build system issues, so I will push this update tomorrow (if I remember), but here's the advisory:

Advisory:
========================

Updated gnutls packages fix security vulnerabilities:

It was reported that GnuTLS does not check whether the two signature
algorithms match on certificate import (CVE-2015-0294).

Kurt Roeckx discovered that decoding a specific certificate with very long
DistinguishedName (DN) entries leads to double free. A remote attacker can
take advantage of this flaw by creating a specially crafted certificate that,
when processed by an application compiled against GnuTLS, could cause the
application to crash resulting in a denial of service (CVE-2015-6251).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6251
https://www.debian.org/security/2015/dsa-3191
https://www.debian.org/security/2015/dsa-3334

Summary: gnutls new security issue CVE-2015-0294 => gnutls new security issues CVE-2015-0294 and CVE-2015-6251

Patched packages uploaded for Mageia 4 and Mageia 5.  Advisory in Comment 10.

Updated packages in core/updates_testing:
========================
gnutls-3.2.7-1.7.mga4
libgnutls28-3.2.7-1.7.mga4
libgnutls-ssl27-3.2.7-1.7.mga4
libgnutls-xssl0-3.2.7-1.7.mga4
libgnutls-devel-3.2.7-1.7.mga4
gnutls-3.2.21-1.1.mga5
libgnutls28-3.2.21-1.1.mga5
libgnutls-ssl27-3.2.21-1.1.mga5
libgnutls-xssl0-3.2.21-1.1.mga5
libgnutls-devel-3.2.21-1.1.mga5

from SRPMS:
gnutls-3.2.7-1.7.mga4.src.rpm
gnutls-3.2.21-1.1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27 libgnutls28

default install of gnutls libgnutls-ssl27 & libgnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.2.7-1.4.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

ctrl-z out

install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.7.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.7.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.2.7-1.7.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

CC: (none) => wilcal.int

In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.4.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

ctrl-z out

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.7.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.7.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.7.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

update successful

Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27 libgnutls28

default install of gnutls libgnutls-ssl27 & libgnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.2.21-1.mga5.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

ctrl-z out

install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.21-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.21-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.2.21-1.1.mga5.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

update successful

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.21-1.mga5.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.........

ctrl-z out

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.21-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.21-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.21-1.1.mga5.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 205 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '212.85.158.146:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:

update successful

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK

This update works fine.
Testing complete for mga4 32-bit & 64-bit
Testing complete for mga5 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Before sysadmins push the update, someone from QA must upload the advisory to SVN.

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0322.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED