handling of the gnutls 2.2.4 security fixes

Tue May 20 01:05:53 CEST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm not sure which list (vendor-sec or oss-security) I should post this
to. I'm hoping not making it public means that maybe it'll get serious
attention and it won't be taken as flamebait. It isn't intended that
way. Really. I promise.

I'll be honest, I'm not that familiar with gnutls. I've never had a
chance to use it. I have no idea what, if anything, it provides that
isn't available in openssl. But Foresight Linux does ship it, and
apparently some apps we ship actually use it. So it being secure is
important to me.

The 2.2.4 release was not handled properly. Vendor-sec received an email
on the 14th of May stating that CERT-FI was going to send mail to us
about an upcoming release of gnutls. That mail never arrived. Vendor-sec
is *the* place to discuss non-public issues like this. Maybe this was
the fault of the CERT, but the gnutls team should, in the future, make
an attempt to contact us even if whatever CERT is dealing with the issue
also promises to.

Josh Bressers, who is quite active on this list, seems to have already
made some comments to this effect. I just wanted to clear up why it
would be beneficial to *you* to post here. Emailing us ensures that most
of your users actually get the fix on the day you release it, since most
of your users use the distro-provided packages. We coordinate sensitive
releases with projects such as openssl, kerberos, etc. Depending on the
scope of the changes, it may take distros weeks to integrate and QA
them, so giving us a bit of notice (10-14 days is typical) allows us all
to push the fixes at the same time, preventing the Bad Guys from using
the information in your advisory against the folks using the
distro-provided packages. It also allows folks who aren't part of the
upstream project to analyze the proposed fix, which sometimes leads to a
better patch being developed.

But, what troubles me more than the non-notification is that the gnutls
team doesn't seem to understand the impact of these flaws.
http://www.gnu.org/software/gnutls/security.html states "Currently the
core GnuTLS team do [sic] not have resources to analyse [sic] the
background and impact of security problems in as much detail as we would
want to." That statement *floored* me. One of my coworkers, who I will
leave nameless, but who is on this list, stated upon reading that "Words
fail me".

Maybe the statement is simply poorly worded, but it seems to be
consistent with today's release...

...In a cryptographic library, analyzing impact and understanding
security issues is of the *utmost* importance. It is more important that
than new features. It is more important than bugfixes. You guys, the
gnutls team, are the experts in this code. You guys are the most able to
diagnose causes and assess impact. You guys. Not, as you later state on
that same page, "Everyone is invited to analyse [sic] the impact of
discovered bugs". Yes, ok, openness is good. Anyone can examine the
code. Great. But anyone who publishes a *cryptographic library*
shouldn't rely on the unwashed masses to coordinate security issues.
There is a greater responsibility when dealing with code that could
compromise people's bank accounts or allow eavesdropping on sensitive
private conversations. You guys are the experts, and it would be great
if you used that knowledge where it is most needed. Crypto library
maintainers should be very deliberate and slow-moving, not rushing to
publish releases until everything is understood about those changes.

So. Now that I've gotten all that off my chest, let me reiterate. I
don't intend this to be insulting, or otherwise harmful.  I know gnutls
is a relatively new project, and so I'm just trying to let you know how
users of gnutls feel when blind-sighted with unresearched security
advisories, and maybe how to prevent it in the future.

	smithj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkgyB9AACgkQCG91qXPaRekw2QCeL8bBh+64kfpLgGHriyCABBN6
oeQAn3NUaqDJE5x2OVoCRc8/LrWwAEBz
=o8uP
-----END PGP SIGNATURE-----