[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: crash in GNUTLS-1.4.0]
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [Fwd: crash in GNUTLS-1.4.0] |
Date: |
Mon, 24 May 2010 23:49:01 +0200 |
User-agent: |
Thunderbird 2.0.0.24 (X11/20100411) |
Simon Josefsson wrote:
Nice to know. I've commited a similar check for other structures that
used strcmp as well.
regards,
Nikos
> Tomas Hoger analyzed the problem further and provided this insight:
>
> The issue is a NULL pointer dereference crash that occurs during X509
> certificate verification. Both clients and server could be affected.
> Attacker needs to have a certificate using hash algorithm not
> supported by the affected GnuTLS version, that was issued by a trusted
> CA.
>
> There wasn't any CVE for this vulnerability before, but we've assigned
> CVE-2006-7239 to it now. I've updated our web site about this:
> http://www.gnu.org/software/gnutls/security.html
>
> Note that this problem was fixed in GnuTLS version 1.4.2 which was
> released back in August 2006.
>
> /Simon
>
> Simon Josefsson <address@hidden> writes:
>
>> With some guess-work, I was able to reproduce the problem, and the
>> patch is below. I'm not yet sure what it is that trigger the problem.
>> If I replace the server key/certificate with another pair, it doesn't
>> crash, and if I instead replace the CA certificate with another CA
>> certificate, it doesn't crash either. So it seems it is a combination
>> with the particular CA certificate and server key/certificate that you
>> sent.
>>
>> I'm going away over the weekend, so if anybody here wants to analyze
>> this further, that would be appreciated. Here is the recipe to
>> reproduce the crash:
>>
>> $ gnutls-serv --x509keyfile key.pem --x509certfile newcert.pem
>> ...
>> $ gnutls-cli --x509cafile cacert.pem --port 5556 localhost
>>
>> I'm labeling this problem as GNUTLS-SA-2006-02 because, under some
>> unclear situations, it is a remotely triggered crash of clients.
>>
>> /Simon
>>
>> Index: gnutls_algorithms.c
>> ===================================================================
>> RCS file: /cvs/gnutls/gnutls/lib/gnutls_algorithms.c,v
>> retrieving revision 2.156
>> retrieving revision 2.157
>> diff -u -p -r2.156 -r2.157
>> --- gnutls_algorithms.c 15 Dec 2005 13:24:29 -0000 2.156
>> +++ gnutls_algorithms.c 11 Aug 2006 22:40:36 -0000 2.157
>> @@ -1,5 +1,5 @@
>> /*
>> - * Copyright (C) 2000, 2002, 2003, 2004, 2005 Free Software Foundation
>> + * Copyright (C) 2000, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
>> *
>> * Author: Nikos Mavroyanopoulos
>> *
>> @@ -563,7 +563,7 @@ _gnutls_x509_oid2mac_algorithm (const ch
>> {
>> gnutls_mac_algorithm_t ret = 0;
>>
>> - GNUTLS_HASH_LOOP (if (strcmp (oid, p->oid) == 0)
>> + GNUTLS_HASH_LOOP (if (p->oid && strcmp (oid, p->oid) == 0)
>> {
>> ret = p->id; break;}
>> );
>>
>>
>>
>> _______________________________________________
>> Gnutls-dev mailing list
>> address@hidden
>> http://lists.gnupg.org/mailman/listinfo/gnutls-dev
>
> _______________________________________________
> Gnutls-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnutls-devel