oss-sec mailing list archives

Re: GnuTLS and libtasn1 security fixes

From: mancha <mancha1 () zoho com>
Date: Mon, 2 Jun 2014 02:39:45 +0000

On Sun, Jun 01, 2014 at 09:40:18PM +0200, Kristian Fiskerstrand wrote:

On 05/30/2014 10:31 AM, Tomas Hoger wrote:

Hi!

New GnuTLS and libtasn1 versions fix few issues you might be
interested to look at:


Thanks Thomas.

Based on your research of this issue can you comment anything on
whether CVE-2014-3466 affects the 2.x series as well? It seems like at
least CVE-2014-3465 is 3.x series only.


Hello.

I believe you're right about CVE-2014-3465 not being applicable in
GnuTLS 2.x because in that branch the result of
gnutls_x509_oid2ldap_string is checked for NULL returns.

As for the rest, I've backported the fixes to GnuTLS 2.12.23 (the
CVE-2014-3467,3468,3469 fixes apply to the embedded libtasn1).

You're welcome to them:

http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3466.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3467.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3468.diff
http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3469.diff

Note: Add ".sig" to above URLs for the PGP signatures.

--mancha

Attachment: _bin
Description:

Current thread:

GnuTLS and libtasn1 security fixes Tomas Hoger (May 30)
- Re: GnuTLS and libtasn1 security fixes Florian Weimer (May 30)
- Re: GnuTLS and libtasn1 security fixes Kristian Fiskerstrand (Jun 01)
  - Re: GnuTLS and libtasn1 security fixes mancha (Jun 01)
  - Re: GnuTLS and libtasn1 security fixes Tomas Hoger (Jun 03)