oss-sec mailing list archives
Re: GnuTLS and libtasn1 security fixes
From: mancha <mancha1 () zoho com>
Date: Mon, 2 Jun 2014 02:39:45 +0000
On Sun, Jun 01, 2014 at 09:40:18PM +0200, Kristian Fiskerstrand wrote:
On 05/30/2014 10:31 AM, Tomas Hoger wrote:Hi! New GnuTLS and libtasn1 versions fix few issues you might be interested to look at:Thanks Thomas. Based on your research of this issue can you comment anything on whether CVE-2014-3466 affects the 2.x series as well? It seems like at least CVE-2014-3465 is 3.x series only.
Hello. I believe you're right about CVE-2014-3465 not being applicable in GnuTLS 2.x because in that branch the result of gnutls_x509_oid2ldap_string is checked for NULL returns. As for the rest, I've backported the fixes to GnuTLS 2.12.23 (the CVE-2014-3467,3468,3469 fixes apply to the embedded libtasn1). You're welcome to them: http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3466.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3467.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3468.diff http://sf.net/projects/mancha/files/sec/gnutls-2.12.23_CVE-2014-3469.diff Note: Add ".sig" to above URLs for the PGP signatures. --mancha
Attachment:
_bin
Description:
Current thread:
- GnuTLS and libtasn1 security fixes Tomas Hoger (May 30)
- Re: GnuTLS and libtasn1 security fixes Florian Weimer (May 30)
- Re: GnuTLS and libtasn1 security fixes Kristian Fiskerstrand (Jun 01)
- Re: GnuTLS and libtasn1 security fixes mancha (Jun 01)
- Re: GnuTLS and libtasn1 security fixes Tomas Hoger (Jun 03)