Bug 20417 - gnutls new security issue GNUTLS-SA-2017-3 and CVE-2017-7507
Summary: gnutls new security issue GNUTLS-SA-2017-3 and CVE-2017-7507
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.debian.org/security/2017/...
Whiteboard: MGA5-64-OK mga5-32-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-08 02:48 CET by David Walser
Modified: 2017-07-22 11:43 CEST (History)
7 users (show)

See Also:
Source RPM: gnutls-3.2.21-1.3.mga5.src.rpm
CVE: CVE-2017-7869, CVE-2017-7507
Status comment:


Attachments

Description David Walser 2017-03-08 02:48:21 CET
Upstream has issued an advisory on March 6:
http://www.gnutls.org/security.html#GNUTLS-SA-2017-3

3.2.x is likely affected as well.
Comment 1 Marja Van Waes 2017-03-08 09:30:53 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-03-21 14:14:56 CET
Hi,

Given that version 3.2.x has no upstream support and that version 3.3.x, which is maintained by upstream, is binary compatible with 3.2.x, maybe we should switch to 3.3.x rather than trying to backport security fixes into 3.2.x.  What do you think about that idea?

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2017-03-22 01:36:47 CET
I've thought about that.  I'm not sure it's that simple.  I believe 3.3.x uses nettle3 and not nettle2.7, and I'm not sure it's fully source compatible.
Comment 4 Nicolas Salguero 2017-03-22 09:46:44 CET
According to http://www.linuxfromscratch.org/blfs/view/7.7/postlfs/gnutls.html, version 3.3.x also requires nettle2.7 (whereas version 3.4.x and above requires nettle3).
Comment 5 Nicolas Salguero 2017-03-22 09:56:40 CET
I also found a link which can be useful: http://www.gnutls.org/abi-tracker/timeline/gnutls/
Comment 6 David Walser 2017-06-10 01:33:59 CEST
GNUTLS-SA-2017-4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K6EJKC5TAT25O4NQDPIFZ5T4EYT6SX2B/
http://www.gnutls.org/security.html#GNUTLS-SA-2017-4

I'm not 100% sure if it affects Mageia 5.

Summary: gnutls new security issue GNUTLS-SA-2017-3 => gnutls new security issue GNUTLS-SA-2017-3 and CVE-2017-7507

Comment 7 David Walser 2017-06-14 12:21:43 CEST
Ubuntu has issued an advisory for this on June 13:
https://www.ubuntu.com/usn/usn-3318-1/

It identifies CVE-2017-7869 as a subset of GNUTLS-SA-2017-3.
Comment 8 David Walser 2017-06-18 23:33:31 CEST
Debian advisory for CVE-2017-7507 from June 16:
https://www.debian.org/security/2017/dsa-3884
Zombie Ryushu 2017-06-19 10:02:21 CEST

URL: (none) => https://www.debian.org/security/2017/dsa-3884
CC: (none) => zombie_ryushu

Comment 9 David Walser 2017-07-16 00:30:47 CEST
openSUSE has issued an advisory for these issues today (July 15):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00064.html

They patch gnutls 3.2, which we have in Mageia 5, so I guess it's affected then.
Comment 10 Nicolas Salguero 2017-07-17 10:01:29 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. (CVE-2017-7869)

GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application. (CVE-2017-7507)

References:
https://lists.opensuse.org/opensuse-updates/2017-07/msg00064.html
http://www.gnutls.org/security.html#GNUTLS-SA-2017-3
http://www.gnutls.org/security.html#GNUTLS-SA-2017-4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7507
========================

Updated packages in core/updates_testing:
========================
gnutls-3.2.21-1.4.mga5
lib(64)gnutls28-3.2.21-1.4.mga5
lib(64)gnutls-ssl27-3.2.21-1.4.mga5
lib(64)gnutls-xssl0-3.2.21-1.4.mga5
lib(64)gnutls-devel-3.2.21-1.4.mga5

from SRPMS:
gnutls-3.2.21-1.4.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2017-7869, CVE-2017-7507
Source RPM: gnutls-3.2.21-1.2.mga5.src.rpm => gnutls-3.2.21-1.3.mga5.src.rpm

Comment 11 Len Lawrence 2017-07-17 17:31:26 CEST
Wikipedia describes this package as "a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer...".  There is some discussion amongst SuSE contributors about reproducing the security issue(s) within a fuzzing test environment using gdb and ASAN in the analysis.  A test case is available.

All this makes it unlikely that QA can do much to test this so we have to fall back to the clean install scenario.  Note that mga6 has gnutls version 3.5.13-1.

sugar-presence-service requires gnutls but is yet another development system.

lib64gnutls28 is required by:
abiword
bitlbee
claws-mail
connman
emacs
empathy
filezilla
gtk-gnutella
pacemaker
prelude-manager
prelude-tools
qemu
systemd
taskserver
tigervnc
vino
webkit2
weechat
wine64
xen
xfce4-mailwatch-plugin
xombrero

among many other applications and libraries but loading and running any of these is not going to guarantee that the gnutls components are exercized.

Installed the updates:

- gnutls-3.2.21-1.4.mga5.x86_64
- lib64gnutls-devel-3.2.21-1.4.mga5.x86_64
- lib64gnutls-ssl27-3.2.21-1.4.mga5.x86_64
- lib64gnutls-xssl0-3.2.21-1.4.mga5.x86_64
- lib64gnutls28-3.2.21-1.4.mga5.x86_64

Ran xombrero, a lightweight browser; typed apod into the search field then selected a site from the Duck'a'gogo list and brought up Astronomy Picture of the Day which was a Youtube video - that played fine.

Passing this for x86_64.

CC: (none) => tarazed25

Len Lawrence 2017-07-17 17:31:51 CEST

Whiteboard: (none) => MGA5-64-OK

Comment 12 Brian Rockwell 2017-07-21 23:50:40 CEST
$ uname -a
Linux localhost 4.4.74-desktop586-1.mga5 #1 SMP Mon Jun 26 07:48:29 UTC 2017 i686 i686 i686 GNU/Linux

The following 4 packages are going to be installed:

- gnutls-3.2.21-1.4.mga5.i586
- libgnutls-ssl27-3.2.21-1.4.mga5.i586
- libgnutls-xssl0-3.2.21-1.4.mga5.i586
- libgnutls28-3.2.21-1.4.mga5.i586

3.4MB of additional disk space will be used.

2MB of packages will be retrieved.

Is it ok to continue?


Installing xombrero

The following 4 packages are going to be installed:

- glib-networking-2.42.1-1.mga5.i586
- libbsd0-0.7.0-3.mga5.i586
- libglib-networking-2.42.1-1.mga5.i586
- xombrero-1.6.3-3.mga5.i586

887KB of additional disk space will be used.

349KB of packages will be retrieved.

Is it ok to continue?

I followed Len's lead as well as tried a few other websites using xombrero.  Seems to be working to me.

CC: (none) => brtians1
Whiteboard: MGA5-64-OK => MGA5-64-OK mga5-32-ok

Lewis Smith 2017-07-22 09:51:35 CEST

Whiteboard: MGA5-64-OK mga5-32-ok => MGA5-64-OK mga5-32-ok advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 13 Mageia Robot 2017-07-22 11:43:24 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0212.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.