Re: GNUTLS-SA-2008-1 question

[Simon Josefsson]

Josh Bressers <address@hidden> writes:

> Hello,
>
> My name is Josh Bressers and I am a member of the Red Hat Security Response
> Team.
>
> I just found out about GNUTLS-SA-2008-1 and was wondering if you could
> clear something up for me.

Hi!

Btw, be sure to check out the 2.2.5 announcement.

> The advisory states it's a denial of service, but from reading the
> advisory, GNUTLS-SA-2008-1-1, it sounds like it should be an exploitable
> buffer overflow, not just a denial-of-service.  Are you willing to share
> your reasoning for calling this a DoS rather than an arbitrary code
> execution flaw?

It may indeed be more than just a denial-of-service, but we don't have
resources to analyze this in more detail.  We just echo the report that
was submitted to us, and it was about segmentation faults.

> Also, would you be willing to share the reproducer for this flaw?  We are
> interested in it for QA purposes.

I'll attach my internal notes for reproducing the flaws to you in a
private email.

> I'm also wondering if you'd be willing to give the Vendor Security group a
> heads up on issues such as this in the future.  You can find more details
> about the group here:
> http://oss-security.openwall.org/wiki/mailinglists/vendor-sec

The vulnerability was submitted to us via CERT-FI, so I incorrectly
assumed they had communicated this to vendors.  I'll see if I can
subscribe to the list to be able to give an heads-up in the future.

Thanks,
/Simon