Bug 27257

Summary: gnutls new security issue CVE-2020-24659
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: gnutls-3.6.14-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 26711    
Bug Blocks:    

Description David Walser 2020-09-08 00:07:33 CEST 
GnuTLS 3.6.15 has been released on September 4, fixing a security issue:
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL
pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent
with unexpected timing, and then an invalid second handshake occurs. The crash
happens in the application's error handling path, where the gnutls_deinit
function is called after detecting a handshake failure (CVE-2020-24659).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24659
https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
========================

Updated packages in core/updates_testing:
========================
libgnutls30-3.6.15-1.mga7
gnutls-3.6.15-1.mga7
gnutls-debuginfo-3.6.15-1.mga7
libgnutls-devel-3.6.15-1.mga7
libgnutlsxx28-3.6.15-1.mga7

from gnutls-3.6.15-1.mga7.src.rpm
Comment 1 Aurelien Oudelet 2020-09-08 14:59:52 CEST 
urpmi gnutls

    $MIRRORLIST: media/core/updates_testing/gnutls-3.6.15-1.mga7.x86_64.rpm
installation de gnutls-3.6.15-1.mga7.x86_64.rpm depuis /var/cache/urpmi/rpms                                                                               
Préparation...                   ######################################################################
      1/1: gnutls                ######################################################################
      1/1: désinstallation de gnutls-3.6.14-1.mga7.x86_64
                                 ######################################################################

This correctly installs version from Updates_testing. No errors.
Don't really know what to do. Don't have webserver to test.
Comment 2 PC LX 2020-09-11 10:43:57 CEST 
When selecting lib64gnutls30 or libgnutls30 packages for updating the following packages are pulled as well:
- lib64p11-kit0-0.23.21-1.mga7.x86_64
- libp11-kit0-0.23.21-1.mga7.i586
- p11-kit-0.23.21-1.mga7.x86_64

Is this correct? If yes, shouldn't these be a reference to those updated packages or a bug report for it?

CC: (none) => mageia

Comment 3 David Walser 2020-09-11 12:43:37 CEST 
Those are part of the Firefox update that won't be pushed soon.  Can you install this update without them (maybe using QArepo)?
Comment 4 PC LX 2020-09-11 16:35:51 CEST 
If I try to install without the p11 packages, urpmi complains about missing dependencies.
I'm not certain if it is a good idea to force install it.


$ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls
Marking libgnutls30 as manually installed, it won't be auto-orphaned
To satisfy dependencies, the following packages are going to be installed:
(test only, installation will not be actually done)
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  gnutls                         3.6.15       1.mga7        x86_64  
  lib64gnutls30                  3.6.15       1.mga7        x86_64  
  lib64p11-kit0                  0.23.21      1.mga7        x86_64  
  p11-kit                        0.23.21      1.mga7        x86_64  
(medium "Core 32bit Updates Testing")
  libgnutls30                    3.6.15       1.mga7        i586    
  libp11-kit0                    0.23.21      1.mga7        i586    
314KB of additional disk space will be used.
3.8MB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) n
$ LANGUAGE=C urpmi --test libgnutls30 lib64gnutls30 gnutls --skip /p11/
Some requested packages cannot be installed:
lib64gnutls30-3.6.15-1.mga7.x86_64 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0)(64bit))
libgnutls30-3.6.15-1.mga7.i586 (due to unsatisfied libp11-kit.so.0(LIBP11_KIT_1.0))
Continue installation anyway? (Y/n) n
$ rpm -qa | grep p11
lib64p11-kit0-0.23.15-1.mga7
p11-kit-0.23.15-1.mga7
libp11-kit0-0.23.15-1.mga7
Comment 5 David Walser 2020-09-11 19:39:22 CEST 
Ok thanks.  I might have to get a sysadmin to remove it and then rebuild it.

Keywords: (none) => feedback

Comment 6 David Walser 2020-09-22 19:51:47 CEST 
Ubuntu has issued an advisory for this on September 9:
https://ubuntu.com/security/notices/USN-4491-1

Severity: normal => major

Comment 7 David Walser 2020-09-23 23:28:21 CEST 
Interesting, rebuilt against the older p11-kit, there's a trust-store test in the test suite that fails.  So it probably needs the newer p11-kit to work right.  I'll just tie this to the Firefox update for now.

Depends on: (none) => 26711
Assignee: qa-bugs => luigiwalser
CC: (none) => qa-bugs
Keywords: feedback => (none)

Comment 8 David Walser 2020-09-24 15:10:37 CEST 
OK, packages rebuilt as they were.  Firefox update will block this one.

Assignee: luigiwalser => qa-bugs
CC: qa-bugs => (none)

Comment 9 Herman Viaene 2020-09-26 14:15:29 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26444 for testing
$ gnutls-cli mach1
Processed 138 CA certificate(s).
Resolving 'mach1:443'...
Connecting to '192.168.2.1:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x009c76e40ae9a19b84, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-07-15 11:00:35 UTC', expires `2021-07-15 11:00:35 UTC', pin-sha256="DSA4O9kfPOBXvObbW12wXwCy75xx24jAHjrnOufbcWc="
        Public Key ID:
                sha1:092b04ca202131dd0cc9f8eb6706e91e9bafc4cc
                sha256:0d20383bd91f3ce057bce6db5b5db05f00b2ef9c71db88c01e3ae73ae7db7167
        Public Key PIN:
                pin-sha256:DSA4O9kfPOBXvObbW12wXwCy75xx24jAHjrnOufbcWc=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

$ gnutls-serv 
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done
^CExiting via signal 2
[tester7@mach5 ~]$ gnutls-serv 
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done


pointed the browser to http://localhost:5556/ and got answer, but only some binary data.
OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Aurelien Oudelet 2020-09-27 19:41:39 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => ouaurelien, sysadmin-bugs

Comment 10 Mageia Robot 2020-09-30 12:02:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0379.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED