Ubuntu
gnutls28 package

libgnutls28 appears to not have been updated for CVE-2014-3466 in Trusty

Bug #1326779 reported by Owain Kenway on 2014-06-05
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
Fix Released
Critical
Unassigned
Nominated for Trusty by Alberto Salvia Novella
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Hi,

Although you've pushed out a patch for CVE-2014-3466 to libgnutls26 in the current stable LTS Ubuntu release (Trusty) you've not pushed out a corresponding patch for libgnutls28 (which is used by some packages).

Looking at the apt-cache policy output:

$ apt-cache policy libgnutls28
libgnutls28:
  Installed: 3.2.11-2ubuntu1
  Candidate: 3.2.11-2ubuntu1
  Version table:
 *** 3.2.11-2ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
        100 /var/lib/dpkg/status

This would look like a vulnerable version according to the CVE report (also launchpad shows this package as not having been updated since the 5th of March).

http://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-3466

Can you please push out this patch asap, especially given that the vulnerability has been widely publicised in the media as of yesterday?

Thanks,
Dr Owain Kenway

CVE References

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in gnutls28 (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Owain Kenway (o-kenway) on 2014-06-06
tags: added: trusty
Simon Arlott (sa.me.uk) wrote :

There is a fix for this in the Debian version 3.2.15-2 of the package.

Changed in gnutls28 (Ubuntu):
status: Incomplete → Confirmed
Alberto Salvia Novella (es20490446e) wrote :

It has a severe impact on a large portion of Ubuntu users.

Changed in gnutls28 (Ubuntu):
importance: Undecided → Critical
Alberto Salvia Novella (es20490446e) on 2014-12-25
Changed in gnutls28 (Ubuntu):
status: Confirmed → Triaged
Mathew Hodson (mathew-hodson) on 2015-02-17
tags: added: amd64
LocutusOfBorg (costamagnagianfranco) wrote :

trivial patch attached from
https://www.gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3466

LocutusOfBorg (costamagnagianfranco) wrote :
LocutusOfBorg (costamagnagianfranco) wrote :

test build ongoing on ppa:costamagnagianfranco/locutusofborg-ppa

Marc Deslauriers (mdeslaur) wrote :

subscribing ubuntu-security-sponsors as per:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors

Tyler Hicks (tyhicks) wrote :

Hi LocutusOfBorg - Thank you for the debdiff. I've made some adjustments to it in order to follow our security update packing guidelines (https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging):

 - Pocket should be trusty-security instead of trusty
 - Version should be 3.2.11-2ubuntu1.1 instead of 3.2.11-2ubuntu2
 - Patch was missing the DEP3 origin patch tag
 - Changelog did not follow the "SECURITY UPDATE:" style

Additionally, I folded in upstream's test patch (https://www.gitorious.org/gnutls/gnutls/commit/a7be326f0e33cf7ce52b36474c157f782d9ca977). Build tests are always a nice thing to add.

Thanks!

Changed in gnutls28 (Ubuntu):
status: Triaged → Confirmed
LocutusOfBorg (costamagnagianfranco) wrote :

Hi Tyler,

> - Pocket should be trusty-security instead of trusty

I remember Coling saying something about proposed mapped automatically to the release, I thought security was actually the same, but obviously not because they are not in the same pocket (bad me, I didn't think enough)

- Version should be 3.2.11-2ubuntu1.1 instead of 3.2.11-2ubuntu2

OOps, sorry I usually fix stuff in packages I maintain, bad me

- Patch was missing the DEP3 origin patch tag

yes, sorry

- Changelog did not follow the "SECURITY UPDATE:" style

this is something I'm trying to learn, but I forgot/I'm not able to do it correctly.

thanks a lot for the fixes and for caring!

Tyler Hicks (tyhicks) wrote :

No worries! I also prepared a 12.04 update since the patch is trivial. Packages are building now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.0.11-1ubuntu2.1

---------------
gnutls28 (3.0.11-1ubuntu2.1) precise-security; urgency=medium

  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
    execution via crafted ServerHello message
    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
      session id size. Based on upstream patch. (LP: #1326779)

 -- Tyler Hicks <email address hidden> Thu, 11 Jun 2015 10:51:35 -0500

Changed in gnutls28 (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.2.11-2ubuntu1.1

---------------
gnutls28 (3.2.11-2ubuntu1.1) trusty-security; urgency=medium

  [ Gianfranco Costamagna ]
  * SECURITY UPDATE: Denial of service and possible remote arbitrary code
    execution via crafted ServerHello message
    - debian/patches/21_CVE-2014-3466.patch: Add upper bounds check for
      session id size. Based on upstream patch. (LP: #1326779)

  [ Tyler Hicks ]
  * debian/patches/21_CVE-2014-3466.patch: Fold in the test for
    CVE-2014-3466's fix. Based on upstream patch.

 -- Tyler Hicks <email address hidden> Thu, 11 Jun 2015 10:42:35 -0500

Changed in gnutls28 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.
Subscribing...

Other bug subscribers