Bug 24066 - gnutls new security issue CVE-2018-16868
Summary: gnutls new security issue CVE-2018-16868
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 21:43 CET by David Walser
Modified: 2019-03-07 17:35 CET (History)
10 users (show)

See Also:
Source RPM: gnutls-3.5.13-1.1.mga6.src.rpm
CVE: CVE-2018-16868
Status comment:


Attachments

Description David Walser 2018-12-25 21:43:12 CET
Fedora has issued an advisory on December 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/INZ7O52ANE3RPKUWDI3TKPVVHQNKHVKY/

The issue is fixed upstream in 3.6.5.
Comment 1 Marja Van Waes 2018-12-26 07:58:39 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, smelror, thierry.vignaud, tmb

Comment 2 Nicolas Salguero 2019-02-21 14:36:48 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. (CVE-2018-16868)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16868
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/INZ7O52ANE3RPKUWDI3TKPVVHQNKHVKY/
========================

Updated packages in core/updates_testing:
========================
gnutls-3.5.13-1.2.mga6
lib(64)gnutls30-3.5.13-1.2.mga6
lib(64)gnutlsxx28-3.5.13-1.2.mga6
lib(64)gnutls-devel-3.5.13-1.2.mga6

from SRPMS:
gnutls-3.5.13-1.2.mga6.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2018-16868
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 PC LX 2019-02-25 01:05:29 CET
Installed and tested without issues.

Tested by normal system use (lots of packages depend on gnutls) and explicitly tested with various applications (e.g. aria2c, mplayer, gnutls-cli). There were no issues.

System: Mageia 6, x86_64, Intel CPU.


$ uname -a
Linux marte 4.14.100-desktop-1.mga6 #1 SMP Fri Feb 15 09:29:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep gnutls | sort
gnutls-3.5.13-1.2.mga6
lib64glib-networking-gnutls-2.50.0-1.mga6
lib64gnutls30-3.5.13-1.2.mga6
libglib-networking-gnutls-2.50.0-1.mga6
libgnutls30-3.5.13-1.2.mga6
vlc-plugin-gnutls-3.0.5-2.mga6.tainted
$
$
$
$ LANGUAGE=C strace -o aria2c.log aria2c 'https://example.com/'
<SNIP>
(OK):download completed.
$ grep gnutls aria2c.log 
open("/usr/lib64/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
stat("/etc/gnutls/default-priorities", 0x7ffe2ee1c4c0) = -1 ENOENT (No such file or directory)
$
$
$
$ LANGUAGE=C strace -o mplayer.log mplayer 'https://example.com/example.mp4'
<SNIP>
Playing https://example.com/example.mp4.
libavformat version 57.71.100 (external)
[https @ 0x7f8246735840]HTTP error 404 Not Found
Failed to open https://example.com/example.mp4.
<SNIP>
$ grep gnutls mplayer.log
open("/lib64/libgnutls.so.30", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgnutls.so.30.14.5", O_RDONLY) = 3
stat("/etc/gnutls/default-priorities", 0x7ffffb19ae80) = -1 ENOENT (No such file or directory)
$
$
$
$ gnutls-cli example.com
Processed 155 CA certificate(s).
Resolving 'example.com:443'...
Connecting to '93.184.216.34:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0fd078dd48f1a2bd4d0f2ba96b6038fe, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-28 00:00:00 UTC', expires `2020-12-02 12:00:00 UTC', pin-sha256="i9HalScvf6T/skE3/A7QOq5n5cTYs8UHNOEFCnkguSI="

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 4 Thomas Andrews 2019-03-04 15:36:52 CET
I'm going to call this enough. Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-03-06 22:24:42 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-03-07 17:35:47 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0103.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.