Bug 802651 - (CVE-2013-1619) VUL-0: CVE-2013-1619: gnutls: 3.1.7/3.0.28/2.12.23 release (lucky thirteen 13)
(CVE-2013-1619)
VUL-0: CVE-2013-1619: gnutls: 3.1.7/3.0.28/2.12.23 release (lucky thirteen 13)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:52236 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-02-07 17:14 UTC by Marcus Meissner
Modified: 2019-04-16 11:41 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
extracted git patch (5.54 KB, patch)
2013-04-23 15:09 UTC, Marcus Meissner
Details | Diff
gnutls-CVE-2013-1619-lucky13.patch (6.74 KB, patch)
2013-04-23 16:02 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-02-07 17:14:29 UTC
is public, via oss-sec and gnutls.org.

CVE-2013-1619
"The GnuTLS implementation of MEE-TLS-CBC deals with bad padding
in a different way to that recommended in the RFCs: instead of
assuming zero-length padding, it uses the last byte of plaintext 
to determine how many plaintext bytes to remove (whether or not
those bytes are correctly formatted padding). ... This indicates
that ignoring the recommendations of the RFCs can have severe
security consequences."

http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html
Comment 1 Swamp Workflow Management 2013-02-07 17:16:15 UTC
The SWAMPID for this issue is 51098.
This issue was rated as moderate.
Please submit fixed packages until 2013-02-21.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Marcus Meissner 2013-02-07 17:21:20 UTC
From Matthias Weckbecker:

b8391806cd79095fe566f2401d8c7ad85a64b198 seems to be the commit for GnuTLS
that fixes the issue.

https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0                                                                 
https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198
Comment 3 Swamp Workflow Management 2013-02-07 23:00:53 UTC
bugbot adjusting priority
Comment 4 Shawn Chang 2013-02-12 17:57:19 UTC
thanks for the info, Matthias. I'm working on it.
Comment 6 Marcus Meissner 2013-04-23 14:53:19 UTC
the core patch seems to be 

commit 328ee22c1b3951e060c7124c7cb1cee592c59bc0
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 03:08:04 2013 +0100

    Fixes to avoid a timing attack in TLS CBC record parsing.
Comment 7 Marcus Meissner 2013-04-23 15:06:02 UTC
2.12.x branch has:
commit 458c67cf98740e7b12404f6c30e0d5317d56fd30
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 03:08:04 2013 +0100

    Fixes to avoid a timing attack in TLS CBC record parsing.

and
commit 93b7fcfa3297a9123630704668b2946f602b910e
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date:   Mon Feb 4 09:39:42 2013 +0100

    corrected fix




git diff 433bc2bdc118ac3b8a83a5fb7d41b3cecdd73cc9..93b7fcfa3297a9123630704668b2946f602b910e
Comment 8 Marcus Meissner 2013-04-23 15:09:32 UTC
Created attachment 536518 [details]
extracted git patch

patch from above git diff, minus unnecessary parts
Comment 16 Swamp Workflow Management 2013-04-30 17:01:19 UTC
Update released for: gnutls, gnutls-32bit, gnutls-64bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-devel-64bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 17 Swamp Workflow Management 2013-04-30 17:04:34 UTC
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 18 Swamp Workflow Management 2013-04-30 17:04:54 UTC
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2013-04-30 17:05:15 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 20 Swamp Workflow Management 2013-04-30 17:20:21 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 21 Alexander Bergmann 2013-05-02 08:08:59 UTC
openSUSE:12.1:Update: no fix
openSUSE:12.2: no fix
openSUSE:12.3: fix included in gnutls-3.0.28
Comment 23 Bernhard Wiedemann 2013-05-02 14:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (802651) was mentioned in
https://build.opensuse.org/request/show/174317 Maintenance /
Comment 24 Bernhard Wiedemann 2013-05-02 15:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (802651) was mentioned in
https://build.opensuse.org/request/show/174319 Maintenance / 
https://build.opensuse.org/request/show/174320 Maintenance /
Comment 25 Swamp Workflow Management 2013-05-17 18:05:25 UTC
openSUSE-SU-2013:0807-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 802651
CVE References: CVE-2013-1619
Sources used:
openSUSE 12.2 (src):    gnutls-3.0.20-1.4.1
openSUSE 12.1 (src):    gnutls-3.0.3-5.15.1
Comment 26 Marcus Meissner 2013-06-14 04:06:52 UTC
released
Comment 27 Swamp Workflow Management 2014-03-03 20:46:47 UTC
Update released for: gnutls, gnutls-debuginfo, gnutls-debugsource, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26, libgnutls26-32bit, libgnutls26-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 28 Swamp Workflow Management 2014-03-03 20:52:29 UTC
Update released for: gnutls, gnutls-32bit, gnutls-debuginfo, gnutls-devel, gnutls-devel-32bit, gnutls-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64)
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 29 Swamp Workflow Management 2014-03-04 00:06:13 UTC
SUSE-SU-2014:0320-1: An update that solves 9 vulnerabilities and has one errata is now available.

Category: security (critical)
Bug References: 536809,554084,659128,739898,753301,754223,802651,821818,865804,865993
CVE References: CVE-2009-5138,CVE-2011-4108,CVE-2012-0390,CVE-2012-1569,CVE-2012-1573,CVE-2013-0169,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 10 SP3 LTSS (src):    gnutls-1.2.10-13.38.1
Comment 30 Swamp Workflow Management 2014-03-04 00:07:34 UTC
SUSE-SU-2014:0322-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (critical)
Bug References: 760265,802651,821818,835760,865804,865993
CVE References: CVE-2009-5138,CVE-2013-1619,CVE-2013-2116,CVE-2014-0092
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    gnutls-2.4.1-24.39.49.1
Comment 32 Swamp Workflow Management 2014-06-16 12:47:56 UTC
Update released for: gnutls, gnutls-devel
Products:
SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Comment 33 Swamp Workflow Management 2014-06-16 16:04:50 UTC
SUSE-SU-2014:0800-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 554084,670152,802651,880730,880910
CVE References: CVE-2013-1619,CVE-2014-3466,CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE CORE 9 (src):    gnutls-1.0.8-26.32