memory leak in GnuTLS iov operations used by Samba

Bug #1893924 reported by Andrew Bartlett on 2020-09-02
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Gnutls
Unknown
Unknown
gnutls28 (Debian)
Unknown
Unknown
gnutls28 (Ubuntu)
Status tracked in Groovy
Groovy
High
Unassigned

Bug Description

GnuTLS 3.6.10 and later, such as the version in Ubuntu 20.04 has 3.6.13 and needs a patch for otherwise Samba 4.12 and later (when installed by an administrator) leaks memory when used by a MacOS client:

See https://bugzilla.samba.org/show_bug.cgi?id=14399 and https://gitlab.com/gnutls/gnutls/-/merge_requests/1278

I can't see the patch to address this issues in the 3.6.13-2ubuntu1.2 patches.

CVE References

Sebastien Bacher (seb128) wrote :

The issue should be fixed in the current Debian gnutls28 version but that hasn't been merged yet. On focal the samba package is at 4.11 so that shouldn't be an issue?

Changed in gnutls28 (Ubuntu):
importance: Undecided → High
tags: added: rls-gg-incoming
Andrew Bartlett (abartlet) wrote :

Sure, but as upstream we otherwise need to warn Samba users not to deploy current versions onto Ubuntu 20.20, so it would be awesome if this could be fixed.

Both Samba 4.12 and 4.13 (due to be released next week) are impacted.

tags: removed: rls-gg-incoming
Changed in gnutls28 (Ubuntu Groovy):
status: New → Confirmed
Dimitri John Ledkov (xnox) wrote :

what is the test case for this issue? Reading upstream bug report I am not sure this is reproducible without macOS client, or is it?

no longer affects: gnutls28 (Ubuntu Focal)
Dimitri John Ledkov (xnox) wrote :

However we only ship samba 4.11 in focal, thus not affected by this change?

Björn Jacke (bjoern-j3e) wrote :

with the argumenatation in comment #4 you are basically arking all developers and users also installing 3rd party packages to stop using Ubuntu ?

Dimitri John Ledkov (xnox) wrote :

" onto Ubuntu 20.20" I hope you mean 20.10 there (groovy), for which the fix is now pending.

Changed in gnutls28 (Ubuntu Groovy):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.6.15-4ubuntu2

---------------
gnutls28 (3.6.15-4ubuntu2) groovy; urgency=low

  * Merge from Debian unstable LP: #1893924. Remaining changes:
    - Enable CET.
    - Set default priority string to only allow TLS1.2, DTLS1.2, and
    TLS1.3 with medium security profile (2048 RSA keys minimum, and
    similar).
  * Add patch to fix ftbfs gnulib with new glibc.

gnutls28 (3.6.15-4) unstable; urgency=medium

  * autopkgtest: Require build-essential.
  * autopkgtest: respect dpkg-buildflags for helper-binary build.

gnutls28 (3.6.15-3) unstable; urgency=medium

  * More autopkgtest hotfixes.

gnutls28 (3.6.15-2) unstable; urgency=medium

  * 50_autopkgtestfixes.diff: Fix testsuite issues when running against
    installed gnutls-bin.
  * In autopkgtest set top_builddir and builddir, ignore
    tests/cert-tests/tolerate-invalid-time and tests/gnutls-cli-debug.sh.

gnutls28 (3.6.15-1) unstable; urgency=low

  * New upstream version.
    + Fixes NULL pointer dereference if a no_renegotiation alert is sent with
      unexpected timing. CVE-2020-24659 / GNUTLS-SA-2020-09-04
      Closes: #969547
    + Drop 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch
      50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
      50_03-gnutls_cipher_init-fix-potential-memleak.patch
      50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
    + Fix build error due to outdated gettext in Debian by removing newer
      gettext m4 macros from m4/.

gnutls28 (3.6.14-2) unstable; urgency=medium

  * Pull selected patches from upstream GIT:
    + 50_01-serv-omit-upper-bound-of-maxearlydata-option-definit.patch:
      Fixes difference in generated docs on 32 and 64 bit archs.
    + 50_02-gnutls_aead_cipher_init-fix-potential-memleak.patch
      50_03-gnutls_cipher_init-fix-potential-memleak.patch
      Fix memleak in gnutls_aead_cipher_init() with keys having invalid
      length. (Broken since 3.6.3)
    + 50_04-crypto-api-always-allocate-memory-when-serializing-i.patch
      Closes: #962467

gnutls28 (3.6.14-1) unstable; urgency=high

  * Drop debugging code added in -4, fixes nocheck profile build error.
    Closes: #962199
  * Add Daiki Ueno 462225C3B46F34879FC8496CD605848ED7E69871 key to
    debian/upstream/signing-key.asc.
  * New upstream version.
    + Fixes insecure session ticket key construction.
      [GNUTLS-SA-2020-06-03, CVE-2020-13777] Closes: #962289
    + Drop 50_Update-session_ticket.c-to-add-support-for-zero-leng.patch
      51_01-_gnutls_pkcs11_verify_crt_status-check-validity-agai.patch
      51_02-x509-trigger-fallback-verification-path-when-cert-is.patch
      51_03-tests-add-test-case-for-certificate-chain-supersedin.patch
  * Drop guile-gnutls.lintian-overrides.
  * 40_fix_ipv6only_testsuite_AI_ADDRCONFIG.diff: In gnutls-serv do not pass
    AI_ADDRCONFIG to getaddrinfo. This broke the testsuite on systems without
    IPv4 on non-loopback addresses. (Thanks, Adrian Bunk and Julien Cristau!)
    Hopefully Closes: #962218

 -- Dimitri John Ledkov <email address hidden> Thu, 24 Sep 2020 12:03:44 +0100

Changed in gnutls28 (Ubuntu Groovy):
status: Fix Committed → Fix Released
tags: added: fr-693
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.