Bug 1021057 – VUL-0: CVE-2017-5335,CVE-2017-5336,CVE-2017-5337: libopencdk: heap and stack overflows when decoding OpenPGP certificates (GNUTLS-SA-2017-2)

Bug 1021057 - (CVE-2017-5336) VUL-0: CVE-2017-5335,CVE-2017-5336,CVE-2017-5337: libopencdk: heap and stack overflows when decoding OpenPGP certificates (GNUTLS-SA-2017-2)

(CVE-2017-5336)
Summary:	VUL-0: CVE-2017-5335,CVE-2017-5336,CVE-2017-5337: libopencdk: heap and stack ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/178337/
Whiteboard:	maint:released:sle10-sp3:63500
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-20 09:20 UTC by Matthias Gerstner
Modified:	2017-10-26 05:50 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Upstream patches for SLE-10 (9.50 KB, application/x-tar) 2017-03-10 11:56 UTC, Pedro Monreal Gonzalez	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2017-01-20 09:20:44 UTC

+++ This bug was initially created as a clone of Bug #1018832

It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows. 

Fixed upstream in GnuTLS 3.3.26 and 3.5.8.

Upstream recommendation / comment on the feature:

> The support of OpenPGP certificates in GnuTLS is considered obsolete.
> As such, it is not recommended to use OpenPGP certificates with GnuTLS.

References:
https://gnutls.org/security.html#GNUTLS-SA-2017-2

Comment 1 Matthias Gerstner 2017-01-20 09:28:55 UTC

These issues have been found in GnuTLS, handled in bug 1018832.

In SLE-10-SP3:Teradata the affected code does not come from the libopencdk
bundled with GnuTLS, but from the system's libopencdk.

The following upstream commits are related to this:

> https://gitlab.com/gnutls/gnutls/commit/49be4f7b82eba2363bb8d4090950dad976a77a3a

Use CVE-2017-5335.

> https://gitlab.com/gnutls/gnutls/commit/5140422e0d7319a8e2fe07f02cbcafc4d6538732

Use CVE-2017-5336.

> https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a

Use CVE-2017-5337.

Comment 2 Matthias Gerstner 2017-01-20 09:38:22 UTC

QA reproducer:

This bug is reproduced using GnuTLS. Instructions are found in
bug 1018832 comment 5.

Comment 4 Swamp Workflow Management 2017-01-20 23:00:28 UTC

bugbot adjusting priority

Comment 7 Pedro Monreal Gonzalez 2017-03-10 11:56:29 UTC

Created attachment 717035 [details]
Upstream patches for SLE-10

- Added patches for SLE-10
  * libopencdk-CVE-2017-5335.patch  
  * libopencdk-CVE-2017-5336.patch  
  * libopencdk-CVE-2017-5337.patch

I'm reassigning this bug to the security-team.

Comment 9 Swamp Workflow Management 2017-03-24 08:35:10 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-03-31.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63499

Comment 10 Marcus Meissner 2017-10-26 05:50:30 UTC

released