Re: Fwd: GNU Libtasn1 2.12 released

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: GNU Libtasn1 2.12 released

From:	Nikos Mavrogiannopoulos
Subject:	Re: Fwd: GNU Libtasn1 2.12 released
Date:	Tue, 20 Mar 2012 18:41:21 +0100
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111114 Icedove/3.1.16

On 03/20/2012 09:20 AM, Tomas Hoger wrote:

>> Note that the bug fixed affects all gnutls versions.
> Nikos, should the above be read as "all gnutls versions include
> libtasn1 versions affected by this problem" or "gnutls uses
> asn1_get_length_der incorrectly too"? 

I don't think gnutls uses asn1_get_length_der(). It is libtasn1
that was using asn1_get_length_der() internally in an incorrect
way. Because of that all programs using libtasn1 are vulnerable
including gnutls.

> Have you managed to
> confirm the issue in gnutls and can possibly comment on known
> possible impacts (e.g. TLS client can trigger this on TLS server
> by providing a crafted client certificate during handshake)?

Yes, certificate parsing crashes gnutls with the vulnerable libtasn1.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Fwd: GNU Libtasn1 2.12 released, Nikos Mavrogiannopoulos, 2012/03/19
- Re: Fwd: GNU Libtasn1 2.12 released, Tomas Hoger, 2012/03/20
  - Re: Fwd: GNU Libtasn1 2.12 released, Simon Josefsson, 2012/03/20
  - Re: Fwd: GNU Libtasn1 2.12 released, Nikos Mavrogiannopoulos <=

Prev by Date: Re: Fwd: GNU Libtasn1 2.12 released
Next by Date: Mu Dynamics, Inc. Security Advisories MU-201202-01 and MU-201202-02 for GnuTLS and Libtasn1
Previous by thread: Re: Fwd: GNU Libtasn1 2.12 released
Next by thread: [sr #107987] compat.h includes some non-working defines
Index(es):
- Date
- Thread