Bugzilla – Bug 83481
VUL-0: CVE-2005-1431: gnutls DoS
Last modified: 2021-11-03 15:48:27 UTC
We received the following report via bugtraq. The issue is public. No server seems to depend on gnutls so stable only fix is sufficient I guess. Date: Mon, 9 May 2005 10:43:54 +0200 From: Matthias Geerdsen <vorlon@gentoo.org> To: gentoo-announce@lists.gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com Subject: [ GLSA 200505-04 ] GnuTLS: Denial of Service vulnerability - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200505-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GnuTLS: Denial of Service vulnerability Date: May 09, 2005 Bugs: #90726 ID: 200505-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The GnuTLS library is vulnerable to Denial of Service attacks. Background ========== GnuTLS is a free TLS 1.0 and SSL 3.0 implementation for the GNU project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/gnutls < 1.2.3 >= 1.2.3 *>= 1.0.25 Description =========== A vulnerability has been discovered in the record packet parsing in the GnuTLS library. Additionally, a flaw was also found in the RSA key export functionality. Impact ====== A remote attacker could exploit this vulnerability and cause a Denial of Service to any application that utilizes the GnuTLS library. Workaround ========== There is no known workaround at this time. Resolution ========== All GnuTLS users should remove the existing installation and upgrade to the latest version: # emerge --sync # emerge --unmerge gnutls # emerge --ask --oneshot --verbose net-libs/gnutls Due to small API changes with the previous version, please do the following to ensure your applications are using the latest GnuTLS that you just emerged. # revdep-rebuild --soname-regexp libgnutls.so.1[0-1] Previously exported RSA keys can be fixed by executing the following command on the key files: # certtool -k infile outfile References ========== [ 1 ] GnuTLS Announcement http://lists.gnupg.org/pipermail/gnutls-dev/2005-April/000858.html [ 2 ] CAN-2005-1431 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1431 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
will do
done
checked in
What about an update for 9.3?
lnussel said as gnutls isnt used by any server app fixing stable is enough
ok!
Ok, I will reopen it again b/c I saw that rcd uses libsoup which uses gnutls. Therefore we have server code using gnutls. It's likely that other Ximian code uses SOUP+SSL as well. Ludwig told me that they made API changes in the update. But these changes may not be necessary for the fix, aren't they?
uh that sucks. rcd is compiled static against everything. ill check. gnutls and rcd should be enough then or? And please have a look at the patch. Attached
Created attachment 41777 [details] gnutls dos patch
packages submitted to 9.1, 9.2, 9.3. Im not sure how to proceed now. How can we know when rcd will pick up a libsoup that is compiled against the fixed gnutls?
I don't know, why don't you link it dynamically anyways? Does only rcd contain the gnutls lib or any other subpackage as well?
because then rcd would not be able to update itself or libsoup. ximian development said the rcd binary needs to be static. rcd links libsoup static at compile time which uses gnutls.
Just include rcd in the patchinfo file for gnutls. an rcd update will probably be done for 9.1 anyway on backmerging the sp2 tree.
SM-Tracker-1799
notes by QA: I have taken some testcase from http://www.gnu.org/software/gnutls/manual/gnutls.html and added them to pdb: http://pdb.suse.de/pdb-testcases.pl?Package=gnutls&Release=10&tcid=5807&sortkey=5
updates approved.
harald, what is the status here?
this should be in patch-10431 - f93152df6a15f25149d78610657d2b17 For all core9-based products (NLD, OES,SLES). The idea was to release the same code to 9.3 after some "real live" experiences. Heiko found a "new" problem. I add him as I haven't the new bug-ID
see last comment ...
you dont want to wait with this update untill gnutls is arch clean. The bugs heiko discovered where always present...
this is so minor for the 9.3 box, and rcd is not default used there anyway, that we can skip fixing redcarpet for 9.3. lets rest this issue.
CVE-2005-1431: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)