Bug 14527 - gnutls new security issue CVE-2014-8564
Summary: gnutls new security issue CVE-2014-8564
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/619816/
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-13 15:53 CET by David Walser
Modified: 2014-11-15 19:32 CET (History)
2 users (show)

See Also:
Source RPM: gnutls-3.2.7-1.3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-13 15:53:45 CET
RedHat has issued an advisory on November 12:
https://rhn.redhat.com/errata/RHSA-2014-1846.html

Freeze push request sent for Cauldron.

Patched packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated gnutls packages fix security vulnerability:

An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR). A malicious user could create a specially crafted
ECC certificate or a certificate signing request that, when processed by an
application compiled against GnuTLS (for example, certtool), could cause
that application to crash or execute arbitrary code with the permissions of
the user running the application (CVE-2014-8564).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564
http://www.gnutls.org/security.html#GNUTLS-SA-2014-5
https://rhn.redhat.com/errata/RHSA-2014-1846.html
========================

Updated packages in core/updates_testing:
========================
gnutls-3.1.16-1.4.mga3
libgnutls28-3.1.16-1.4.mga3
libgnutls-ssl27-3.1.16-1.4.mga3
libgnutls-xssl0-3.1.16-1.4.mga3
libgnutls-devel-3.1.16-1.4.mga3
gnutls-3.2.7-1.4.mga4
libgnutls28-3.2.7-1.4.mga4
libgnutls-ssl27-3.2.7-1.4.mga4
libgnutls-xssl0-3.2.7-1.4.mga4
libgnutls-devel-3.2.7-1.4.mga4

from SRPMS:
gnutls-3.1.16-1.4.mga3.src.rpm
gnutls-3.2.7-1.4.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-13 15:53:51 CET

Whiteboard: (none) => MGA3TOO

Comment 1 William Kenney 2014-11-13 19:33:14 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27

default install of gnutls & libgnutls-ssl27

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.3.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls & libgnutls-ssl27 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.2.7-1.4.mga4.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 2 William Kenney 2014-11-13 19:53:52 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.3.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.2.7-1.4.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.2.7-1.4.mga4.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:.......

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-11-13 19:56:02 CET

Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 3 Rémi Verschelde 2014-11-14 12:07:51 CET
Advisory uploaded.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK advisory

Comment 4 David Walser 2014-11-14 16:10:39 CET
Thanks for the testing hit William.

I have a local HTTPS webserver with our own cacert that we use, so using a local copy of that cacert file, I did something like this:

gnutls-cli --x509cafile=cacert.pem lms.example.net

and then after it verified the cert I typed:

GET / HTTP/1.0


(with two hard returns after) and it printed the contents of the index page.  It always finishes with:
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.

I'm not sure why, but it's not a regression.

Unfortunately gnutls-cli doesn't respect the proxy environment variables, so I can't test it against www.mageia.org from here, but it should already be signed by a trusted CA, so the command William used plus the GET string I showed should be enough to get Mageia.org's index page successfully.

Testing complete Mageia 3 i586.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory

Comment 5 William Kenney 2014-11-14 16:34:40 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
gnutls libgnutls-ssl27 libgnutls28

default install of gnutls libgnutls-ssl27 & libgnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.1.16-1.3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.1.16-1.3.mga3.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:...........

install gnutls libgnutls-ssl27 & libgnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.4.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls-ssl27
Package libgnutls-ssl27-3.1.16-1.4.mga3.i586 is already installed
[root@localhost wilcal]# urpmi libgnutls28
Package libgnutls28-3.1.16-1.4.mga3.i586 is already installed

[root@localhost wilcal]# gnutls-cli www.mageia.org
Processed 198 CA certificate(s).
Resolving 'www.mageia.org'...
Connecting to '2a02:2178:2:7::2:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:........

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-11-14 16:52:07 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
gnutls lib64gnutls-ssl27 lib64gnutls28

default install of gnutls lib64gnutls-ssl27 & lib64gnutls28

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.1.16-1.3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.1.16-1.3.mga3.x86_64 is already installed

[wilcal@localhost ~]$ gnutls-cli google.com
Processed 198 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4000:800::1005:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:........

install gnutls lib64gnutls-ssl27 & lib64gnutls28 from updates_testing

[root@localhost wilcal]# urpmi gnutls
Package gnutls-3.1.16-1.4.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls-ssl27
Package lib64gnutls-ssl27-3.1.16-1.4.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64gnutls28
Package lib64gnutls28-3.1.16-1.4.mga3.x86_64 is already installed

[root@localhost wilcal]# gnutls-cli google.com
Processed 198 CA certificate(s).
Resolving 'google.com'...
Connecting to '2607:f8b0:4000:809::1001:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:........

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-11-14 16:53:43 CET
This update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK advisory => MGA3TOO has_procedure MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2014-11-15 19:32:36 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0458.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.