Gentoo Logo

GnuTLS: Multiple vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200905-04 / gnutls
Release Date May 24, 2009
Latest Revision May 24, 2009: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-libs/gnutls < 2.6.6 >= 2.6.6 All supported architectures

Related bugreports: #267774


Multiple vulnerabilities in GnuTLS might result in a Denial of Service, spoofing or the generation of invalid keys.

2.  Impact Information


GnuTLS is an Open Source implementation of the TLS 1.0 and SSL 3.0 protocols.


The following vulnerabilities were found in GnuTLS:

  • Miroslav Kratochvil reported that lib/pk-libgcrypt.c does not properly handle corrupt DSA signatures, possibly leading to a double-free vulnerability (CVE-2009-1415).
  • Simon Josefsson reported that GnuTLS generates RSA keys stored in DSA structures when creating a DSA key (CVE-2009-1416).
  • Romain Francoise reported that the _gnutls_x509_verify_certificate() function in lib/x509/verify.c does not perform time checks, resulting in the "gnutls-cli" program accepting X.509 certificates with validity times in the past or future (CVE-2009-1417).


A remote attacker could entice a user or automated system to process a specially crafted DSA certificate, possibly resulting in a Denial of Service condition. NOTE: This issue might have other unspecified impact including the execution of arbitrary code. Furthermore, a remote attacker could spoof signatures on certificates and the "gnutls-cli" application can be tricked into accepting an invalid certificate.

3.  Resolution Information


There is no known workaround at this time.


All GnuTLS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.6.6"

4.  References


Page updated May 24, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.