Bug 802651 (CVE-2013-1619)

Summary: VUL-0: CVE-2013-1619: gnutls: 3.1.7/3.0.28/2.12.23 release (lucky thirteen 13)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
See Also: http://bugzilla.suse.com/show_bug.cgi?id=1105460
Whiteboard: maint:released:sle11-sp2:52236 maint:released:sle10-sp3:56480 maint:released:sles9:57698
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: extracted git patch
gnutls-CVE-2013-1619-lucky13.patch

Description Marcus Meissner 2013-02-07 17:14:29 UTC 
is public, via oss-sec and gnutls.org.

CVE-2013-1619
"The GnuTLS implementation of MEE-TLS-CBC deals with bad padding
in a different way to that recommended in the RFCs: instead of
assuming zero-length padding, it uses the last byte of plaintext 
to determine how many plaintext bytes to remove (whether or not
those bytes are correctly formatted padding). ... This indicates
that ignoring the recommendations of the RFCs can have severe
security consequences."

http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
Comment 1 Swamp Workflow Management 2013-02-07 17:16:15 UTC 
The SWAMPID for this issue is 51098.
This issue was rated as moderate.
Please submit fixed packages until 2013-02-21.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Marcus Meissner 2013-02-07 17:21:20 UTC 
From Matthias Weckbecker:

b8391806cd79095fe566f2401d8c7ad85a64b198 seems to be the commit for GnuTLS
that fixes the issue.

https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0                                                                 
https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198
Comment 3 Swamp Workflow Management 2013-02-07 23:00:53 UTC 
bugbot adjusting priority
Comment 4 Shawn Chang 2013-02-12 17:57:19 UTC 
thanks for the info, Matthias. I'm working on it.
Comment 6 Marcus Meissner 2013-04-23 14:53:19 UTC 
the core patch seems to be 

commit 328ee22c1b3951e060c7124c7cb1cee592c59bc0
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 03:08:04 2013 +0100

    Fixes to avoid a timing attack in TLS CBC record parsing.
Comment 7 Marcus Meissner 2013-04-23 15:06:02 UTC 
2.12.x branch has:
commit 458c67cf98740e7b12404f6c30e0d5317d56fd30
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 03:08:04 2013 +0100

    Fixes to avoid a timing attack in TLS CBC record parsing.

and
commit 93b7fcfa3297a9123630704668b2946f602b910e
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 09:39:42 2013 +0100

    corrected fix




git diff 433bc2bdc118ac3b8a83a5fb7d41b3cecdd73cc9..93b7fcfa3297a9123630704668b2946f602b910e
Comment 8 Marcus Meissner 2013-04-23 15:09:32 UTC 
Created attachment 536518 [details]
extracted git patch

patch from above git diff, minus unnecessary parts
Comment 16 Swamp Workflow Management 2013-04-30 17:01:19 UTC 
Update released for: gnutls, gnutls-32bit, gnutls-64bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-devel-64bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 17 Swamp Workflow Management 2013-04-30 17:04:34 UTC 
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 18 Swamp Workflow Management 2013-04-30 17:04:54 UTC 
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2013-04-30 17:05:15 UTC 
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 20 Swamp Workflow Management 2013-04-30 17:20:21 UTC 
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 21 Alexander Bergmann 2013-05-02 08:08:59 UTC 
openSUSE:12.1:Update: no fix
openSUSE:12.2: no fix
openSUSE:12.3: fix included in gnutls-3.0.28
Comment 23 Bernhard Wiedemann 2013-05-02 14:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (802651) was mentioned in
https://build.opensuse.org/request/show/174317 Maintenance /
Comment 24 Bernhard Wiedemann 2013-05-02 15:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (802651) was mentioned in
https://build.opensuse.org/request/show/174319 Maintenance / 
https://build.opensuse.org/request/show/174320 Maintenance /
Comment 25 Swamp Workflow Management 2013-05-17 18:05:25 UTC 
openSUSE-SU-2013:0807-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 802651
CVE References: CVE-2013-1619
Sources used:
openSUSE 12.2 (src):    gnutls-3.0.20-1.4.1
openSUSE 12.1 (src):    gnutls-3.0.3-5.15.1
Comment 26 Marcus Meissner 2013-06-14 04:06:52 UTC 
released
Comment 27 Swamp Workflow Management 2014-03-03 20:46:47 UTC 
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 28 Swamp Workflow Management 2014-03-03 20:52:29 UTC 
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 29 Swamp Workflow Management 2014-03-04 00:06:13 UTC 
SUSE-SU-2014:0320-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (critical)
Bug References: 536809,554084,659128,739898,753301,754223,802651,821818,865804,865993
CVE References: CVE-2009-5138,CVE-2011-4108,CVE-2012-0390,CVE-2012-1569,CVE-2012-1573,CVE-2013-0169,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    gnutls-1.2.10-13.38.1
Comment 30 Swamp Workflow Management 2014-03-04 00:07:34 UTC 
SUSE-SU-2014:0322-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (critical)
Bug References: 760265,802651,821818,835760,865804,865993
CVE References: CVE-2009-5138,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gnutls-2.4.1-24.39.49.1
Comment 32 Swamp Workflow Management 2014-06-16 12:47:56 UTC 
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 33 Swamp Workflow Management 2014-06-16 16:04:50 UTC 
SUSE-SU-2014:0800-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 554084,670152,802651,880730,880910
CVE References: CVE-2013-1619,CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE CORE 9 (src):    gnutls-1.0.8-26.32