[gnutls-devel] gnutls 3.2.12 / GNUTLS-SA-2014-2

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Mar 5 09:44:41 CET 2014

On Mon, Mar 3, 2014 at 7:22 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> This fixes is an important (and at the same time embarrassing) bug
> discovered during an audit for Red Hat. Everyone is urged to upgrade.
> The git branches of older releases (e.g., 2.12.x), were also updated
> with patches to the issue as they are also vulnerable. I'll provide more
> information on the issue the next few days.

 It seems that this bug got quite some publicity and I even started
receiving mail from random people. If anyone has any suggestions on
gnutls project workflow please post it here, and (more important)
volunteer to take up some work. Judging is easy, doing the actual work

So here are few more words on the specific issue. The bug was
introduced around the 1.0.0 version, and went for quite long time
undetected, I believe for the following reason mainly:
1. This bug cannot be detected by any certificate validation tests;
prior to any release gnutls is tested against a certificate validation
path suite (developed to test X.509 path validation for USA's DoD),
but that couldn't help detect the issue. It didn't help with any of
the other issues that had been detected in the X.509 path validation
code of gnutls, so we have an additional suite developed in-house.
That didn't help with the issue either because it requires a specially
crafted certificate (and I'm not revealing more details on that yet).
2. This bug can only be detected by code audit, which doesn't happen
often (it's not a fun thing to do).
3. As this code was on a critical part of the library it was touched
and thus read, very rarely. Moreover, the code in question followed
the usual form of error checking in the library 'if(err<0) return
err', making it look correct, unless one would notice that the
function returned a boolean value (and we have very few such functions
in the library).

Of course the bug was introduced by me and I am fully responsible for it.
That's my last mail on the topic. Shit happens; we flush and go on.


More information about the Gnutls-devel mailing list