Bugzilla – Bug 1018832
VUL-0: CVE-2017-5335,CVE-2017-5336,CVE-2017-5337: gnutls: heap and stack overflows when decoding OpenPGP certificates (GNUTLS-SA-2017-2)
Last modified: 2020-06-16 22:06:43 UTC
It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. Fixed upstream in GnuTLS 3.3.26 and 3.5.8. Upstream recommendation / comment on the feature: > The support of OpenPGP certificates in GnuTLS is considered obsolete. > As such, it is not recommended to use OpenPGP certificates with GnuTLS. References: https://gnutls.org/security.html#GNUTLS-SA-2017-2
The following are the related upstream commits: https://gitlab.com/gnutls/gnutls/commit/49be4f7b82eba2363bb8d4090950dad976a77a3a https://gitlab.com/gnutls/gnutls/commit/5140422e0d7319a8e2fe07f02cbcafc4d6538732 https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a
All codestreams are affected: SUSE:SLE-12:Update/gnutls in - gnutls-3.2.15/lib/opencdk/pubkey.c:529 - gnutls-3.2.15/lib/opencdk/read-packet.c:488 & more SUSE:SLE-11:Update/gnutls in - gnutls-3.2.15/lib/opencdk/pubkey.c:1153 - gnutls-2.4.1/lib/opencdk/read-packet.c:535 & more SUSE:SLE-10-SP3:Update/gnutls in - gnutls-1.2.10/libextra/opencdk/pubkey.c:979 - gnutls-1.2.10/libextra/opencdk/read-packet.c:546 & more code look very different, possibly even worse issue here openSUSE:13.2:Update/gnutls in - gnutls-3.2.18/lib/opencdk/pubkey.c:529 - gnutls-3.2.18/lib/opencdk/read-packet.c:488 & more
Given that upstream discourages the use of OpenGPG certificates we might consider passing --disable-openpgp-authentication to GnuTLS's configure call in the future, to avoid shipping vulnerable code at all.
bugbot adjusting priority
QA reproducers: All tested on SLE-12:Update: Using openpgp-invalid1.pub from: https://gitlab.com/gnutls/gnutls/blob/99ce602dbe1347483eb89b7f98081acda914454e/tests/cert-tests/data/openpgp-invalid1.pub Running: valgrind certtool --inraw --pgp-certificate-info --infile openpgp-invalid1.pub Results in valgrind invalid read errors Using openpgp-invalid2.pub from: https://gitlab.com/gnutls/gnutls/blob/99ce602dbe1347483eb89b7f98081acda914454e/tests/cert-tests/data/openpgp-invalid2.pub Running: valgrind certtool --inraw --pgp-certificate-info --infile openpgp-invalid2.pub Results in valgrind invalid read errors Using openpgp-invalid3.pub from: https://gitlab.com/gnutls/gnutls/blob/99ce602dbe1347483eb89b7f98081acda914454e/tests/cert-tests/data/openpgp-invalid3.pub Running: valgrind certtool --inraw --pgp-certificate-info --infile openpgp-invalid2.pub Results in an infinite loop with 100 % CPU for me. Supposedly this should cause a memory error instead. May be related to other issues not yet resolved in our version of GnuTLS. This commit be related to the infinite loop: https://gitlab.com/gnutls/gnutls/commit/45991a484f5266a0bf42fddd01cd467ea23f5143 Using openpgp-invalid4.pub from: https://gitlab.com/gnutls/gnutls/blob/99ce602dbe1347483eb89b7f98081acda914454e/tests/cert-tests/data/openpgp-invalid4.pub Running: valgrind --leak-check=full certtool --inraw --pgp-certificate-info --infile openpgp-invalid4.pub *Should* result in an "out of memory error". It runs fine in my case, printing "GnuTLS internal error". No memory is lost according to valgrind. Only still reachable memory is lseft.
CVEs have been assigned for this issue: http://www.openwall.com/lists/oss-security/2017/01/11/4 > https://gitlab.com/gnutls/gnutls/commit/49be4f7b82eba2363bb8d4090950dad976a77a3a Use CVE-2017-5335. > https://gitlab.com/gnutls/gnutls/commit/5140422e0d7319a8e2fe07f02cbcafc4d6538732 Use CVE-2017-5336. > https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a Use CVE-2017-5337.
I am testing this update, SUSE:Maintenance:4019:126764. After installing the update(gnutls-3.2.15-14.1) the test case below still falls in an infinite loop with 100 % CPU. "valgrind certtool --inraw --pgp-certificate-info --infile gnutls-master-cfac494aa549a3d3e5d00c08c4e2b4d11f31bd9e/tests/cert-tests/data/openpgp-invalid3.pub" Please check if this bug is fixed or not.
SUSE-SU-2017:0304-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1005879,1018832,961491 CVE References: CVE-2016-8610,CVE-2017-5335,CVE-2017-5336,CVE-2017-5337 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gnutls-2.4.1-24.39.67.1 SUSE Linux Enterprise Server 11-SP4 (src): gnutls-2.4.1-24.39.67.1 SUSE Linux Enterprise High Availability Extension 11-SP4 (src): gnutls-2.4.1-24.39.67.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gnutls-2.4.1-24.39.67.1
SUSE-SU-2017:0348-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1005879,1018832,999646 CVE References: CVE-2016-7444,CVE-2016-8610,CVE-2017-5335,CVE-2017-5336,CVE-2017-5337 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Server 12-SP2 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Server 12-SP1 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Desktop 12-SP2 (src): gnutls-3.2.15-16.1 SUSE Linux Enterprise Desktop 12-SP1 (src): gnutls-3.2.15-16.1
released for sles. leap is pending
openSUSE-SU-2017:0386-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1005879,1018832,999646 CVE References: CVE-2016-7444,CVE-2016-8610,CVE-2017-5335,CVE-2017-5336,CVE-2017-5337 Sources used: openSUSE Leap 42.2 (src): gnutls-3.2.15-9.1 openSUSE Leap 42.1 (src): gnutls-3.2.15-8.1