Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <dee5300f-607e-4108-9739-a63ee81edeb4@oracle.com>
Date: Fri, 11 Jul 2025 14:35:19 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: gnutls 3.8.10 fixes 4 CVEs

https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
announces the release of gnutls-3.8.10, a bug fix, security and
enhancement release on the 3.8.x branch, including fixes for:


** libgnutls: Fix NULL pointer dereference when 2nd Client Hello omits PSK
    Reported by Stefan Bühler. [GNUTLS-SA-2025-07-07-4, CVSS: medium]
    [CVE-2025-6395]

** libgnutls: Fix heap read buffer overrun in parsing X.509 SCTS timestamps
    Spotted by oss-fuzz and reported by OpenAI Security Research Team,
    and fix developed by Andrew Hamilton. [GNUTLS-SA-2025-07-07-1,
    CVSS: medium] [CVE-2025-32989]

** libgnutls: Fix double-free upon error when exporting otherName in SAN
    Reported by OpenAI Security Research Team. [GNUTLS-SA-2025-07-07-2,
    CVSS: low] [CVE-2025-32988]

** certtool: Fix 1-byte write buffer overrun when parsing template
    Reported by David Aitel. [GNUTLS-SA-2025-07-07-3,
    CVSS: low] [CVE-2025-32990]


https://www.gnutls.org/security-new.html provides a few more details:

GNUTLS-SA-2025-07-08-1
CVE-2025-32989
Severity Medium; Heap read buffer overflow

When an X.509 certificate contains an SCT (signed certificate timestamp)
extension and its length field is malformed, the library could read the memory
buffer past the boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1695>.

Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later
versions. The issue could be effectively avoided if you compile the library
with -D_FORTIFY_SOURCE=2.

------------------------------------------------------------------------------

GNUTLS-SA-2025-07-08-2
CVE-2025-32988
Severity Low; Memory corruption on error path

When any error occurs during exporting a certificate with an otherName in the
SAN (subject alternative name) extension, the library could potentially double
free the ASN.1 structure. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1694>.

Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later
versions.

------------------------------------------------------------------------------

GNUTLS-SA-2025-07-08-3
CVE-2025-32990
Severity Low; Heap write buffer overflow

When the certtool program is invoked with a template file with a number of
string pairs for a single keyword, a NULL pointer could be written past the
memory boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1696>.

Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later
versions.

------------------------------------------------------------------------------

GNUTLS-SA-2025-07-08-4
CVE-2025-6395
Severity Medium; Denial of service

When a TLS 1.3 handshake involves a Hello Retry Request and the second
Client Hello omits the PSK which was present in the first Client Hello,
the GnuTLS server can dereference a NULL pointer. The issue was reported
in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1718>.

Recommendation: To address the issue found upgrade to GnuTLS 3.8.10 or later
versions.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.