Bug 29021

Summary: gnutls new security issues CVE-2021-20231 and CVE-2021-20232
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=28800
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: gnutls-3.6.15-3.mga8.src.rpm CVE: CVE-2021-20231, CVE-2021-20232
Status comment:

Description David Walser 2021-05-29 19:56:31 CEST 
Fedora has issued an advisory on March 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/

The issues are fixed upstream in 3.7.1:
https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10

Mageia 7 is also affected.
David Walser 2021-05-29 19:56:51 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 3.7.1

David Walser 2021-05-29 19:59:17 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28800

Comment 1 Lewis Smith 2021-05-29 22:04:31 CEST 
Variously maintained, so assigning globally. DavidG, a recent committer, is already CC'd.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-05-30 22:10:25 CEST 
openSUSE has issued an advisory for this on March 25:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LUDG7BXPVVVALM2YUCJ2EKIRBHFXMY75/
Comment 3 Nicolas Salguero 2021-06-02 14:11:25 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. (CVE-2021-20231)

A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. (CVE-2021-20232)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20231
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20232
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/
https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LUDG7BXPVVVALM2YUCJ2EKIRBHFXMY75/
========================

Updated packages in 7/core/updates_testing:
========================
gnutls-3.6.15-1.1.mga7
lib(64)gnutls30-3.6.15-1.1.mga7
lib(64)gnutlsxx28-3.6.15-1.1.mga7
lib(64)gnutls-devel-3.6.15-1.1.mga7

from SRPM:
gnutls-3.6.15-1.1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
gnutls-3.6.15-3.1.mga8
lib(64)gnutls30-3.6.15-3.1.mga8
lib(64)gnutlsxx28-3.6.15-3.1.mga8
lib(64)gnutls-devel-3.6.15-3.1.mga8

from SRPM:
gnutls-3.6.15-3.1.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

David Walser 2021-06-24 00:57:48 CEST

Assignee: pkg-bugs => qa-bugs

David Walser 2021-06-24 00:57:53 CEST

Status comment: Fixed upstream in 3.7.1 => (none)

Comment 4 Herman Viaene 2021-06-25 13:46:07 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 27257 for testing
$ gnutls-cli mach1
Processed 128 CA certificate(s).
Resolving 'mach1:443'...
Connecting to '192.168.2.1:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', issuer `EMAIL=root@localhost,OU=default httpd cert for localhost,CN=localhost', serial 0x2b26b631453768c44ab1a432961d780848570faf, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-06 11:45:22 UTC', expires `2022-04-06 11:45:22 UTC', pin-sha256="pvMLJ62KvViacXZFR/MDuWiWbWIvZhmbUIkRWjW08nA="
        Public Key ID:
                sha1:0a76055c20ef7bac21648d9fe12caa4928c82799
                sha256:a6f30b27ad8abd589a71764547f303b968966d622f66199b5089115a35b4f270
        Public Key PIN:
                pin-sha256:pvMLJ62KvViacXZFR/MDuWiWbWIvZhmbUIkRWjW08nA=

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

$ gnutls-serv 
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

pointing the browser to http://localhost:5556/ and got answer, but only some binary data.
at the CLI got this feedback:
* Accepted connection from IPv6 ::1 port 41876 on Fri Jun 25 13:42:29 202
|<0x1e54c70>| Received record packet of unknown type 71
Error in handshake: An unexpected TLS packet was received.

Seems all the same as previousupdates, thus OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 Herman Viaene 2021-06-26 14:38:31 CEST 
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 27257 for testing
Repeated tests from Comment 4 with same commands and ame results.
OK thus

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Thomas Andrews 2021-06-27 02:38:16 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-28 21:25:00 CEST

CVE: (none) => CVE-2021-20231, CVE-2021-20232
CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-06-28 23:18:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0291.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED