Bugzilla – Bug 1021057
VUL-0: CVE-2017-5335,CVE-2017-5336,CVE-2017-5337: libopencdk: heap and stack overflows when decoding OpenPGP certificates (GNUTLS-SA-2017-2)
Last modified: 2017-10-26 05:50:30 UTC
+++ This bug was initially created as a clone of Bug #1018832
It was found using the OSS-FUZZ fuzzer infrastructure that decoding a specially crafted OpenPGP certificate could lead to heap and stack overflows.
Fixed upstream in GnuTLS 3.3.26 and 3.5.8.
Upstream recommendation / comment on the feature:
> The support of OpenPGP certificates in GnuTLS is considered obsolete.
> As such, it is not recommended to use OpenPGP certificates with GnuTLS.
These issues have been found in GnuTLS, handled in bug 1018832.
In SLE-10-SP3:Teradata the affected code does not come from the libopencdk
bundled with GnuTLS, but from the system's libopencdk.
The following upstream commits are related to this:
This bug is reproduced using GnuTLS. Instructions are found in
bug 1018832 comment 5.
bugbot adjusting priority
Created attachment 717035 [details]
Upstream patches for SLE-10
- Added patches for SLE-10
I'm reassigning this bug to the security-team.
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2017-03-31.
When done, reassign the bug to firstname.lastname@example.org.