Re: CVE request: GNUTLS-SA-2015-3 double free in certificate DN decoding

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Mon, Aug 10, 2015 at 11:23:02AM +0200, Martin Prpic wrote:
> Hi,
>
> GnuTLS released versions 3.4.4 and 3.3.17 that fix one security issue:
>
> http://www.gnutls.org/security.html#GNUTLS-SA-2015-3
>
> "Kurt Roeckx reported that decoding a specific certificate with very
> long DistinguishedName (DN) entries leads to double free, which may
> result to a denial of service. Since the DN decoding occurs in almost
> all applications using certificates it is recommended to upgrade the
> latest GnuTLS version fixing the issue. Recommendation: Upgrade to
> GnuTLS 3.4.4, or 3.3.17."
>
> The upstream patch that fixes this issue is available at:
>
> https://gitlab.com/gnutls/gnutls/commit/272854367efc130fbd4f1a51840d80c630214e12
>
> Can a CVE please be assigned to this issue?
>
> Also, there is still no CVE for the issue before this one. The CVE
> request was sent on May 5:
>
> http://seclists.org/oss-sec/2015/q2/367
>
> Can a CVE be assigned to this as well?
>
> Thank you!
>
> Refs:
> rhbz GNUTLS-SA-2015-2: https://bugzilla.redhat.com/1218426
> rhbz GNUTLS-SA-2015-3: https://bugzilla.redhat.com/1251902

Adding explicitly MITRE CVE assignment team to the loop.

Can CVEs be assigned for both GNUTLS-SA-2015-2 and GNUTLS-SA-2015-3
issues?

Regards,
Salvatore