Date: Tue, 7 Jun 2016 11:27:00 +0200 From: Adam Maris <amaris@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: GnuTLS: GNUTLS-SA-2016-1: File overwrite by setuid programs On 07/06/16 08:45, Salvatore Bonaccorso wrote: > Hi > > GnuTLS 3.4.13 was released addressing GNUTLS-SA-2016-1, > http://gnutls.org/security.html#GNUTLS-SA-2016-1 : > >> Setuid programs using GnuTLS 3.4.12 could potentially allow an >> attacker to overwrite and corrupt arbitrary files in the filesystem. >> This issue was introduced in GnuTLS 3.4.12 and fixed in GnuTLS 3.4.13. >> Recommendation: Upgrade to GnuTLS 3.4.13, or later versions. > The relevant upstream commits seem to be: > > https://gitlab.com/gnutls/gnutls/compare/fb2a6baef79f4aadfd95e657fe5a18da20a1410e...86076c9b17b9a32b348cafb8b724f57f7da64d58 > > Can you assign a CVE for this issue? > > Regards, > Salvatore We already assigned CVE-2016-4456 for using insecure getenv() on GNUTLS_KEYLOGFILE when we got a report for this issue. Not sure why it's not included in the advisory. I'm dealing with that now. Regards, -- Adam Mariš, Red Hat Product Security 1CCD 3446 0529 81E3 86AF 2D4C 4869 76E7 BEF0 6BC2
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ