Bug 880733 - (CVE-2014-3465) VUL-0: CVE-2014-3465: gnutls: gnutls_x509_dn_oid_name NULL pointer dereference
(CVE-2014-3465)
VUL-0: CVE-2014-3465: gnutls: gnutls_x509_dn_oid_name NULL pointer dereference
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/99187/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-30 12:06 UTC by Johannes Segitz
Modified: 2014-06-10 13:57 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-05-30 12:06:09 UTC
gnutls_x509_dn_oid_name() returns NULL to it's caller when it is not expected.

The fix was first included in upstream versions 3.1.20 and 3.2.10:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7251
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7250

Versions >=3.0 are affected, please submit for openSUSE 12.3 and openSUSE 13.1

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1101734
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465
Comment 1 Swamp Workflow Management 2014-05-30 22:00:23 UTC
bugbot adjusting priority
Comment 2 Bernhard Wiedemann 2014-06-02 07:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (880733) was mentioned in
https://build.opensuse.org/request/show/235998 13.1 / gnutls
https://build.opensuse.org/request/show/235999 12.3 / gnutls
Comment 3 Shawn Chang 2014-06-03 04:29:45 UTC
Fixed for OpenSuSE 13.1/12.3 and SLE-12 is not affected by this issue. Re-assigning to the security team.
Comment 4 Swamp Workflow Management 2014-06-06 09:04:37 UTC
openSUSE-SU-2014:0763-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 880730,880733
CVE References: CVE-2014-3465,CVE-2014-3466
Sources used:
openSUSE 13.1 (src):    gnutls-3.2.4-2.24.1
openSUSE 12.3 (src):    gnutls-3.0.28-1.14.1
Comment 5 Johannes Segitz 2014-06-10 13:57:50 UTC
all relevant packages are fixed