Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Mar 2012 12:32:59 +0100
From: Stefan Cornelius <>
Subject: CVE request: GnuTLS TLS record handling issue / MU-201202-01


Correcting myself as more details about the GnuTLS case were revealed:
GnuTLS needs a CVE after all, for another issue different from

Quoting the Mu Dynamics advisory [1]:

The block cipher decryption logic in GnuTLS assumed that a record
containing any data which was a multiple of the block size was valid for
further decryption processing, leading to a heap corruption vulnerability.

The bug can be reproduced in GnuTLS 3.0.14 by creating a corrupt
GenericBlockCipher struct with a valid IV, while everything else is
stripped off the end, while the handshake message length retains its
original value: [...]

This will cause a segmentation fault, when the ciphertext_to_compressed
function tries to give decrypted data to _gnutls_auth_cipher_add_auth
for HMAC verification, even though the data length is invalid, and it
should have returned GNUTLS_E_DECRYPTION_FAILED or
_gnutls_auth_cipher_add_auth was called.

NOTE: This CVE request is only for the GnuTLS TLS record handling issue
/ MU-201202-01. When looking at the release notes [2] and [3], there are
other issues that may be worthy of a CVE, but are currently still under

** libgnutls: Eliminate double free during SRP
authentication. Reported by Peter Penzov.

** libgnutls: PKCS #11 objects that do not have ID
no longer crash listing. Reported by Sven Geggus.

-- References --

[1] Mu Dynamics:

[2] GnuTLS 3.0.15 release announcement:

[3] GnuTLS 2.12.17 release announcement:

[4] GNUTLS-SA-2012-2:

[5] Red Hat bug:

Thanks and kind regards,
Stefan Cornelius / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ