Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2
Simon Josefsson
simon at josefsson.org
Wed Nov 12 11:15:31 CET 2008
Michael Meskes <meskes at debian.org> writes:
> On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
>> I think we have identified the problem, see:
>>
>> http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
>>
>> That patch at least solves the vulnerability and the crash, so possibly
>> it could be uploaded to debian to avoid further troubles until we have
>> released a 2.6.2 with a good fix.
>
> You mean just removing this code snippet instead of moving it?
>
> /* Check if the last certificate in the path is self signed.
> * In that case ignore it (a certificate is trusted only if it
> * leads to a trusted party by us, not the server's).
> */
> if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
> certificate_list[clist_size - 1]) > 0
> && clist_size > 0)
> {
> clist_size--;
> }
Yes.
> Yes, this works. However, I wonder whether this code has any use.
Getting Nikos' comment on this would be useful. I guess we have two
choices:
1) Remove the code. Fixes both crash and vulnerability.
2) Change the test to clist_size>1. Fixes both crash and vulnerability.
> If so, wouldn't it help to just use "clist_size > 1" instead of
> "clist_size > 0"? The > 0 test is bogus if you access clist_size - 1
> afterwards, but with the > 1 test it works for me as well, i.e. no
> segfault anymore.
Yes, that version of the patch works too. I'm not sure what the
semantic differences are between the two patches.
/Simon
More information about the Gnutls-devel
mailing list