Gentoo Logo

GnuTLS: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200905-04 / gnutls
Release Date May 24, 2009
Latest Revision May 24, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-libs/gnutls < 2.6.6 >= 2.6.6 All supported architectures

Related bugreports: #267774

Synopsis

Multiple vulnerabilities in GnuTLS might result in a Denial of Service, spoofing or the generation of invalid keys.

2.  Impact Information

Background

GnuTLS is an Open Source implementation of the TLS 1.0 and SSL 3.0 protocols.

Description

The following vulnerabilities were found in GnuTLS:

  • Miroslav Kratochvil reported that lib/pk-libgcrypt.c does not properly handle corrupt DSA signatures, possibly leading to a double-free vulnerability (CVE-2009-1415).
  • Simon Josefsson reported that GnuTLS generates RSA keys stored in DSA structures when creating a DSA key (CVE-2009-1416).
  • Romain Francoise reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c does not perform time checks, resulting in the "gnutls-cli" program accepting X.509 certificates with validity times in the past or future (CVE-2009-1417).

Impact

A remote attacker could entice a user or automated system to process a specially crafted DSA certificate, possibly resulting in a Denial of Service condition. NOTE: This issue might have other unspecified impact including the execution of arbitrary code. Furthermore, a remote attacker could spoof signatures on certificates and the "gnutls-cli" application can be tricked into accepting an invalid certificate.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All GnuTLS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.6.6"

4.  References



Print

Page updated May 24, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.