Simon Josefsson simon at
Thu Sep 18 03:54:31 CEST 2008

Daniel Kahn Gillmor <dkg at> writes:

> On Wed 2008-09-17 07:30:55 -0400, Simon Josefsson wrote:
>> Werner Koch <wk at> writes:
>>> lib/gnutls_session_pack.c:
>>>     gnutls_calloc (1, sizeof (gnutls_datum_t) * info->ncerts);
>> This unpacks user-supplied data.  If the data were corrupt, it could
>> overflow.  However, if an attacker could influence this data, all the
>> security is gone anyway since it contains master secret keys.
> When you say "user-supplied", do you mean the user running the local
> GnuTLS process, or the user controlling the remote peer?

Running the local process.  The session pack code packs and unpacks all
information about a certain session, and contains the symmetric keys
used and so on.

> One concern is that an attacker could defeat the security provided by
> the TLS layer by introducing arbitrary master secret keys.  But the
> possibility of executing arbitrary code based on the contents of a
> keyring is an entirely different threat, though, which it seems like
> GnuTLS shouldn't be vulnerable to.

Right, and it's fixed now.  If you have time to analyze more in detail
exactly how this could be exploited by an attacker, and write it down,
that might be useful.  I'm not sure there are any realistic scenarios
where attackers have write control over session resumption information
but cannot execute code as the gnutls process.


More information about the Gnutls-devel mailing list