Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2

Simon Josefsson simon at josefsson.org
Wed Nov 12 11:15:31 CET 2008


Michael Meskes <meskes at debian.org> writes:

> On Tue, Nov 11, 2008 at 04:55:57PM +0100, Simon Josefsson wrote:
>> I think we have identified the problem, see:
>> 
>> http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230
>> 
>> That patch at least solves the vulnerability and the crash, so possibly
>> it could be uploaded to debian to avoid further troubles until we have
>> released a 2.6.2 with a good fix.
>
> You mean just removing this code snippet instead of moving it?
>
>   /* Check if the last certificate in the path is self signed.
>    * In that case ignore it (a certificate is trusted only if it
>    * leads to a trusted party by us, not the server's).
>    */
>   if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1],
>                                    certificate_list[clist_size - 1]) > 0
>       && clist_size > 0)
>     {
>       clist_size--;
>     }

Yes.

> Yes, this works. However, I wonder whether this code has any use.

Getting Nikos' comment on this would be useful.  I guess we have two
choices:

1) Remove the code.  Fixes both crash and vulnerability.
2) Change the test to clist_size>1.  Fixes both crash and vulnerability.

> If so, wouldn't it help to just use "clist_size > 1" instead of
> "clist_size > 0"? The > 0 test is bogus if you access clist_size - 1
> afterwards, but with the > 1 test it works for me as well, i.e. no
> segfault anymore.

Yes, that version of the patch works too.  I'm not sure what the
semantic differences are between the two patches.

/Simon





More information about the Gnutls-devel mailing list