Bug 12922 - gnutls new security issue CVE-2014-0092
: gnutls new security issue CVE-2014-0092
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/589237/
: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-03-03 16:52 CET by David Walser
Modified: 2014-03-05 12:19 CET (History)
3 users (show)

See Also:
Source RPM: gnutls-3.2.11-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-03-03 16:52:39 CET
Upstream has released new versions today (March 3), fixing a security issue:
http://openwall.com/lists/oss-security/2014/03/03/2

The issue is fixed in 3.1.22 and 3.2.12.

The commits that fix it...

3.1.x:
https://www.gitorious.org/gnutls/gnutls/commit/a79aed24327cfb2771062956399d5a54ede1e923

3.2.x:
https://www.gitorious.org/gnutls/gnutls/commit/855127da290a280df839038671ae6aba01957736

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-03 17:12:14 CET
Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

It was discovered that GnuTLS X.509 certificate verification code failed to
properly handle certain errors that can occur during the certificate
verification in GnuTLS before 3.1.22 and 3.2.12.  When such errors are
encountered, GnuTLS would report successful verification of the certificate,
even though verification should end with failure.  A specially-crafted
certificate can be accepted by GnuTLS as valid even if it wasn't issued by
any trusted Certificate Authority.  This can be used to perform
man-in-the-middle attacks against applications using GnuTLS (CVE-2014-0092).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
http://gnutls.org/security.html#GNUTLS-SA-2014-2
https://bugzilla.redhat.com/show_bug.cgi?id=1069865
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.2.mga3
libgnutls28-3.1.16-1.2.mga3
libgnutls-ssl27-3.1.16-1.2.mga3
libgnutls-xssl0-3.1.16-1.2.mga3
libgnutls-devel-3.1.16-1.2.mga3
gnutls-3.2.7-1.2.mga4
libgnutls28-3.2.7-1.2.mga4
libgnutls-ssl27-3.2.7-1.2.mga4
libgnutls-xssl0-3.2.7-1.2.mga4
libgnutls-devel-3.2.7-1.2.mga4

from SRPMS:
gnutls-3.1.16-1.2.mga3.src.rpm
gnutls-3.2.7-1.2.mga4.src.rpm
Comment 2 Marc Lattemann 2014-03-03 19:46:01 CET
no poc found and not further information available for testing. Using this: https://bugs.mageia.org/show_bug.cgi?id=6911#c1 to show that handshake works with "gnutls-cli www.mageia.org"

testing MGA3 32bit is working fine.
Comment 3 Marc Lattemann 2014-03-03 20:20:21 CET
tested the same procedure with no findings on following systems
- MGA3 64bit
- MGA4 32bit
- MGA4 64bit

as long as there is no further test procedure, this update can be validated after the advisory is uploaded.
Comment 4 David Walser 2014-03-03 20:27:51 CET
RedHat has issued an advisory for this:
https://rhn.redhat.com/errata/RHSA-2014-0246.html

Updating our advisory.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

It was discovered that GnuTLS did not correctly handle certain errors that
could occur during the verification of an X.509 certificate, causing it to
incorrectly report a successful verification. An attacker could use this
flaw to create a specially crafted certificate that could be accepted by
GnuTLS as valid for a site chosen by the attacker (CVE-2014-0092).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
http://gnutls.org/security.html#GNUTLS-SA-2014-2
https://rhn.redhat.com/errata/RHSA-2014-0246.html
Comment 5 Thomas Backlund 2014-03-03 20:39:40 CET
Advisory uploaded, validating
Comment 6 Thomas Backlund 2014-03-03 21:45:11 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0117.html
Comment 7 Manuel Hiebel 2014-03-05 12:19:54 CET
*** Bug 12940 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.