Security issues fixed upstream in gnutls have been made public today (May 30): http://openwall.com/lists/oss-security/2014/05/30/2 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated gnutls packages fix security vulnerabilities: A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3465 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3466 http://www.gnutls.org/security.html#GNUTLS-SA-2014-3 ======================== Updated packages in core/updates_testing: ======================== gnutls-3.1.16-1.3.mga3 libgnutls28-3.1.16-1.3.mga3 libgnutls-ssl27-3.1.16-1.3.mga3 libgnutls-xssl0-3.1.16-1.3.mga3 libgnutls-devel-3.1.16-1.3.mga3 gnutls-3.2.7-1.3.mga4 libgnutls28-3.2.7-1.3.mga4 libgnutls-ssl27-3.2.7-1.3.mga4 libgnutls-xssl0-3.2.7-1.3.mga4 libgnutls-devel-3.2.7-1.3.mga4 from SRPMS: gnutls-3.1.16-1.3.mga3.src.rpm gnutls-3.2.7-1.3.mga4.src.rpm Reproducible: Steps to Reproduce:
PoC for CVE-2014-3466: https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c Download that file and save as long-session-id.c. Make sure you have libgnutls-devel installed. Compile as follows: gcc -o long-session-id long-session-id.c -lgnutls Then execute the binary: ./long-session-id If vulnerable, you get "Child died with sigsegv"
Whiteboard: (none) => MGA3TOO
Hi, I try to compilebut i have an error : # urpmi gnutls $MIRRORLIST: media/core/updates/gnutls-3.2.7-1.2.mga4.x86_64.rpm installation de gnutls-3.2.7-1.2.mga4.x86_64.rpm depuis /var/cache/urpmi/rpms Préparation... ########################################################################################################################## 1/1: gnutls ########################################################################################################################## # LC_ALL=C gcc -o long-session-id long-session-id.c -lgnutls long-session-id.c:46:27: fatal error: gnutls/gnutls.h: No such file or directory #include <gnutls/gnutls.h> ^ compilation terminated.
CC: (none) => aranud
For that to work you need to install gnutls-devel
CC: (none) => tmb
Oups sorry, i haven't see to install the devel... :/ Before update : # LC_ALL=C ./long-session-id memory was overwritten Child died with sigsegv After : # urpmi gnutls Le paquetage gnutls-3.2.7-1.3.mga4.x86_64 est déjà installé # LC_ALL=C ./long-session-id client: Handshake failed (expected) GnuTLS error: A record packet with illegal version was received. So fail, i try to recompile but it is same.
No, the fix worked. before you got: memory was overwritten - overwriting memory is always bad. and: Child died with sigsegv - here it crashed after you got: client: Handshake failed (expected) - this confirms it refused the broken handshake and: GnuTLS error: A record packet with illegal version was received. - this is gnutls informing about an illegal attempt that it ignores
Ok so, Mageia 3+4 x86_64 are ok : Before : # LC_ALL=C gcc -o long-session-id long-session-id.c -lgnutls # ./long-session-id memory was overwritten Child died with sigsegv # urpmi gnutls Le paquetage gnutls-3.1.16-1.2.mga3.x86_64 est déjà installé After : # urpmi gnutls Le paquetage gnutls-3.1.16-1.3.mga3.x86_64 est déjà installé # ./long-session-id client: Handshake failed (expected) GnuTLS error: A record packet with illegal version was received.
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK MGA3-64-OK
In VT for Mageia 4 i586 ok : $ wget https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c --2014-06-01 00:09:24-- https://www.gitorious.org/gnutls/gnutls/raw/a7be326f0e33cf7ce52b36474c157f782d9ca977:tests/long-session-id.c Résolution de www.gitorious.org (www.gitorious.org)... 87.238.52.168, 2a02:c0:1014::1 Connexion vers www.gitorious.org (www.gitorious.org)|87.238.52.168|:443...connecté. requête HTTP transmise, en attente de la réponse...200 OK Longueur: 6927 (6,8K) [text/plain] Sauvegarde en : «long-session-id.c» 100%[======================================>] 6 927 --.-K/s ds 0s 2014-06-01 00:09:26 (209 MB/s) - «long-session-id.c» sauvegardé [6927/6927] [mageia@localhost ~]$ gcc -o long-session-id long-session-id.c -lgnutls [mageia@localhost ~]$ ./long-session-id Child died with sigsegv [mageia@localhost ~]$ su Mot de passe : [root@localhost mageia]# urpmi gnutls Le paquetage gnutls-3.2.7-1.3.mga4.i586 est déjà installé [root@localhost mageia]# ./long-session-id client: Handshake failed (expected) GnuTLS error: A record packet with illegal version was received.
Whiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA3-64-OK MGA4-32-OK
Testing complete mga3 32. Well done Arnaud for the rest.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO MGA4-64-OK MGA3-64-OK MGA4-32-OK => MGA3TOO advisory mga3-32-ok MGA4-64-OK MGA3-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
gnutls uses libtasn1, so if this has been tested, you could validate Bug 13456 as well.
Forgot this bit! Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Sorry David, cross posted. I think we have a procedure for libtasn1
(In reply to claire robinson from comment #11) > Sorry David, cross posted. I think we have a procedure for libtasn1 Yes you created one for a previous update. Hopefully we can release these two together.
URL: (none) => http://lwn.net/Vulnerabilities/601058/
Update pushed: http://advisories.mageia.org/MGASA-2014-0248.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2014-3465: http://lwn.net/Vulnerabilities/601140/