CVE-2010-0731: Buffer Overflow
First published: Fri Mar 12 2010(Updated: )
During the testing of GnuTLS updates, a flaw was discovered affecting Red Hat Enterprise Linux 4 GnuTLS packages on s390x platform, causing gnutls-cli to crash while printing server certificate info. This crash was caused by a flaw in gnutls_x509_crt_get_serial(), which calls asn1_read_value() to extract serial number from the x509 certificate. (lib/x509/x509.c) 526 int gnutls_x509_crt_get_serial(gnutls_x509_crt cert, void* result, 527 size_t* result_size) 528 { ... 536 if ((ret = asn1_read_value(cert->cert, "tbsCertificate.serialNumber", result, result_size)) < 0) { asn1_read_value() expects pointer to int (32 bit) as its third argument, but gnutls_x509_crt_get_serial() passed pointer to size_t (64 bit on 64 bit platforms) instead. On 64bit big endian platforms asn1_read_value() got incorrect length value. (lib/minitasn1/element.c) 598 asn1_retCode 599 asn1_read_value(node_asn *root,const char *name,void* ivalue, int *len) On little endian 64 bit platforms, high 32 bits of the *result_size size_t value were lost, but they only contained zeros. On big endian 64 bit platforms, low 32 bits were lost / ignored, causing asn1_read_value() to see length value as 0. This caused asn1_read_value() to return an error, but the length of the value that should have been extracted was saved to *len. gnutls_x509_crt_get_serial() did not correctly check return value of asn1_read_value(), failing to detect an error. After returning, caller could see a high value stored in *result_size (when interpreted as 64 bit value again). print_x509_info() (used by gnutls-cli or gnutls-serv) and print_certificate_info() (used by certtool) relied on the returned size value. Unexpected value caused a stack buffer overflow in those functions. This bug could also cause gnutls_x509_crt_check_revocation() to incorrectly check supplied X509 certificate against the list of revoked certificates, resulting in a bypass or the CRL check. This issue was fixed upstream via following commit: <a href="http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d">http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d</a> This fix was first included in upstream version 1.2.1. Therefore, GnuTLS packages in Red Hat Enterprise Linux 5, Fedora, and current upstream GnuTLS versions are not affected by this flaw.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU GnuTLS | <=1.2.0 | |
| GNU GnuTLS | =1.0.16 | |
| GNU GnuTLS | =1.0.17 | |
| GNU GnuTLS | =1.0.18 | |
| GNU GnuTLS | =1.0.19 | |
| GNU GnuTLS | =1.0.20 | |
| GNU GnuTLS | =1.0.21 | |
| GNU GnuTLS | =1.0.22 | |
| GNU GnuTLS | =1.0.23 | |
| GNU GnuTLS | =1.0.24 | |
| GNU GnuTLS | =1.0.25 | |
| GNU GnuTLS | =1.1.13 | |
| GNU GnuTLS | =1.1.14 | |
| GNU GnuTLS | =1.1.15 | |
| GNU GnuTLS | =1.1.16 | |
| GNU GnuTLS | =1.1.17 | |
| GNU GnuTLS | =1.1.18 | |
| GNU GnuTLS | =1.1.19 | |
| GNU GnuTLS | =1.1.20 | |
| GNU GnuTLS | =1.1.21 | |
| GNU GnuTLS | =1.1.22 | |
| GNU GnuTLS | =1.1.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=573028
- http://www.securityfocus.com/bid/38959
- http://www.vupen.com/english/advisories/2010/0713
- http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230
- http://www.redhat.com/support/errata/RHSA-2010-0167.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:089
- http://www.vupen.com/english/advisories/2010/1054
- http://secunia.com/advisories/39127
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9759
- http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=112d537d
- https://rhn.redhat.com/errata/RHSA-2010-0167.html
- agent/references
- agent/type
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/author
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0731
- agent/weakness
- agent/tags
- agent/trending
- vendor/gnu
- canonical/gnu gnutls
- version/gnu gnutls/1.2.0
- version/gnu gnutls/1.0.16
- version/gnu gnutls/1.0.17
- version/gnu gnutls/1.0.18
- version/gnu gnutls/1.0.19
- version/gnu gnutls/1.0.20
- version/gnu gnutls/1.0.21
- version/gnu gnutls/1.0.22
- version/gnu gnutls/1.0.23
- version/gnu gnutls/1.0.24
- version/gnu gnutls/1.0.25
- version/gnu gnutls/1.1.13
- version/gnu gnutls/1.1.14
- version/gnu gnutls/1.1.15
- version/gnu gnutls/1.1.16
- version/gnu gnutls/1.1.17
- version/gnu gnutls/1.1.18
- version/gnu gnutls/1.1.19
- version/gnu gnutls/1.1.20
- version/gnu gnutls/1.1.21
- version/gnu gnutls/1.1.22
- version/gnu gnutls/1.1.23