Ubuntu
gnutls26 package

gnutls26 crashes on particularly malformed crypt stream

Bug #1166634 reported by Chip Salzenberg on 2013-04-09

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gnutls26 (Ubuntu)	Fix Released	Undecided	Marc Deslauriers

Bug Description

The patch for CVE-2013-1619 has a bug. It fails to do proper range protection. The attached patch may not be correct insofar as reintroducing a timing exposure; but it does stop the segfaults, which are perhaps more problematic.

This is a security issue becuase crashes in libgnutls are inherently security issues.

I triggered this by trying to access https URLs via an "all_proxy" in libcurl-gnutls.

Tags:

CVE References

2013-1619

Revision history for this message

Chip Salzenberg (chip-pobox) wrote on 2013-04-09:

#1

CVE-2013-1619-crash.patch Edit (1.3 KiB, text/plain)

Revision history for this message

Chip Salzenberg (chip-pobox) wrote on 2013-04-09:

#2

the version known affected is 2.8.5-2ubuntu0.3
I'm using Lucid with a newer libcurl (7.27.0).

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-04-12:

#3

Assigning to mdeslaur since he provided the update initially.

information type:	Private Security → Public Security
Changed in gnutls26 (Ubuntu):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-04-12:

#4

Looks like though the logic is quite a bit different here:
https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0

We have:
for (i = 2; i <= pad; i++)

where upstream has:
for (i = 2; i <= MIN(256, ciphertext->size); i++)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-04-12:

#5

Upstream's 2.12 tree does have the i <= pad though:

https://gitorious.org/gnutls/gnutls/blobs/gnutls_2_12_x/lib/gnutls_cipher.c

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2013-04-13:

#6

The attachment "CVE-2013-1619-crash.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Revision history for this message

Andreas Metzler (k-launchpad-downhill-at-eu-org) wrote on 2013-05-25:

#7

See upstream commit https://gitorious.org/gnutls/gnutls/commit/5164d5a1d57cd0372a5dd074382ca960ca18b27d

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-05-31:

#8

That patch was released here:

http://www.ubuntu.com/usn/usn-1843-1/

I'm closing this bug. If the issue is still present with that upstream commit, feel free to re-open it.

Thanks!

Changed in gnutls26 (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

CVE-2013-1619-crash.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.