gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: crash in GNUTLS-1.4.0]


From: Simon Josefsson
Subject: Re: [Fwd: crash in GNUTLS-1.4.0]
Date: Mon, 24 May 2010 21:50:24 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Tomas Hoger analyzed the problem further and provided this insight:

  The issue is a NULL pointer dereference crash that occurs during X509
  certificate verification.  Both clients and server could be affected.
  Attacker needs to have a certificate using hash algorithm not
  supported by the affected GnuTLS version, that was issued by a trusted
  CA.

There wasn't any CVE for this vulnerability before, but we've assigned
CVE-2006-7239 to it now.  I've updated our web site about this:
http://www.gnu.org/software/gnutls/security.html

Note that this problem was fixed in GnuTLS version 1.4.2 which was
released back in August 2006.

/Simon

Simon Josefsson <address@hidden> writes:

> With some guess-work, I was able to reproduce the problem, and the
> patch is below.  I'm not yet sure what it is that trigger the problem.
> If I replace the server key/certificate with another pair, it doesn't
> crash, and if I instead replace the CA certificate with another CA
> certificate, it doesn't crash either.  So it seems it is a combination
> with the particular CA certificate and server key/certificate that you
> sent.
>
> I'm going away over the weekend, so if anybody here wants to analyze
> this further, that would be appreciated.  Here is the recipe to
> reproduce the crash:
>
> $ gnutls-serv --x509keyfile key.pem --x509certfile newcert.pem
> ...
> $ gnutls-cli --x509cafile cacert.pem --port 5556 localhost
>
> I'm labeling this problem as GNUTLS-SA-2006-02 because, under some
> unclear situations, it is a remotely triggered crash of clients.
>
> /Simon
>
> Index: gnutls_algorithms.c
> ===================================================================
> RCS file: /cvs/gnutls/gnutls/lib/gnutls_algorithms.c,v
> retrieving revision 2.156
> retrieving revision 2.157
> diff -u -p -r2.156 -r2.157
> --- gnutls_algorithms.c       15 Dec 2005 13:24:29 -0000      2.156
> +++ gnutls_algorithms.c       11 Aug 2006 22:40:36 -0000      2.157
> @@ -1,5 +1,5 @@
>  /*
> - * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation
> + * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
>   *
>   * Author: Nikos Mavroyanopoulos
>   *
> @@ -563,7 +563,7 @@ _gnutls_x509_oid2mac_algorithm (const ch
>  {
>    gnutls_mac_algorithm_t ret = 0;
>  
> -  GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0)
> +  GNUTLS_HASH_LOOP (if (p->oid && strcmp (oid, p->oid) == 0)
>                   {
>                   ret = p->id; break;}
>    );
>
>
>
> _______________________________________________
> Gnutls-dev mailing list
> address@hidden
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev



reply via email to

[Prev in Thread] Current Thread [Next in Thread]