[Fwd: crash in GNUTLS-1.4.0]
Simon Josefsson
simon at josefsson.org
Mon May 24 21:50:24 CEST 2010
Tomas Hoger analyzed the problem further and provided this insight:
The issue is a NULL pointer dereference crash that occurs during X509
certificate verification. Both clients and server could be affected.
Attacker needs to have a certificate using hash algorithm not
supported by the affected GnuTLS version, that was issued by a trusted
CA.
There wasn't any CVE for this vulnerability before, but we've assigned
CVE-2006-7239 to it now. I've updated our web site about this:
http://www.gnu.org/software/gnutls/security.html
Note that this problem was fixed in GnuTLS version 1.4.2 which was
released back in August 2006.
/Simon
Simon Josefsson <jas at extundo.com> writes:
> With some guess-work, I was able to reproduce the problem, and the
> patch is below. I'm not yet sure what it is that trigger the problem.
> If I replace the server key/certificate with another pair, it doesn't
> crash, and if I instead replace the CA certificate with another CA
> certificate, it doesn't crash either. So it seems it is a combination
> with the particular CA certificate and server key/certificate that you
> sent.
>
> I'm going away over the weekend, so if anybody here wants to analyze
> this further, that would be appreciated. Here is the recipe to
> reproduce the crash:
>
> $ gnutls-serv --x509keyfile key.pem --x509certfile newcert.pem
> ...
> $ gnutls-cli --x509cafile cacert.pem --port 5556 localhost
>
> I'm labeling this problem as GNUTLS-SA-2006-02 because, under some
> unclear situations, it is a remotely triggered crash of clients.
>
> /Simon
>
> Index: gnutls_algorithms.c
> ===================================================================
> RCS file: /cvs/gnutls/gnutls/lib/gnutls_algorithms.c,v
> retrieving revision 2.156
> retrieving revision 2.157
> diff -u -p -r2.156 -r2.157
> --- gnutls_algorithms.c 15 Dec 2005 13:24:29 -0000 2.156
> +++ gnutls_algorithms.c 11 Aug 2006 22:40:36 -0000 2.157
> @@ -1,5 +1,5 @@
> /*
> - * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation
> + * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
> *
> * Author: Nikos Mavroyanopoulos
> *
> @@ -563,7 +563,7 @@ _gnutls_x509_oid2mac_algorithm (const ch
> {
> gnutls_mac_algorithm_t ret = 0;
>
> - GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0)
> + GNUTLS_HASH_LOOP (if (p->oid && strcmp (oid, p->oid) == 0)
> {
> ret = p->id; break;}
> );
>
>
>
> _______________________________________________
> Gnutls-dev mailing list
> Gnutls-dev at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
More information about the Gnutls-devel
mailing list