gnutls28: CVE-2015-3308: use-after-free flaw in CRL distribution points parsing

Debian Bug report logs - #782776
gnutls28: CVE-2015-3308: use-after-free flaw in CRL distribution points parsing

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-3308

Date: Fri, 17 Apr 2015 19:05:15 +0200

Source: gnutls28
Severity: important
Tags: security

Hi Andreas,
this was assigned CVE-2015-3308:
http://www.openwall.com/lists/oss-security/2015/04/15/6  

gnutls in wheezy or squeeze should not be affected, the
code was introduced in 3.3 (please double-check).

This doesn't seem severe, could you fix this in the first
jessie point release?

Cheers,
        Moritz

Message #14 received at 782776@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Moritz Muehlenhoff <jmm@debian.org>, 782776@bugs.debian.org

Subject: Re: Bug#782776: CVE-2015-3308

Date: Sat, 18 Apr 2015 19:22:46 +0200

On 2015-04-17 Moritz Muehlenhoff <jmm@debian.org> wrote:
> Hi Andreas,
> this was assigned CVE-2015-3308:
> http://www.openwall.com/lists/oss-security/2015/04/15/6  

> gnutls in wheezy or squeeze should not be affected, the
> code was introduced in 3.3 (please double-check).

> This doesn't seem severe, could you fix this in the first
> jessie point release?

Hello,

I will push an upload to unstable to get some free testing and will try
to get this fixed in jessie, either with a separate upload or (if jessie
is delayed) an unblock.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #19 received at 782776-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 782776-close@bugs.debian.org

Subject: Bug#782776: fixed in gnutls28 3.3.8-7

Date: Sat, 18 Apr 2015 17:48:49 +0000

Source: gnutls28
Source-Version: 3.3.8-7

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Apr 2015 19:11:01 +0200
Source: gnutls28
Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27
Architecture: source i386 all
Version: 3.3.8-7
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls-doc - GNU TLS library - documentation and examples
 guile-gnutls - GNU TLS library - GNU Guile bindings
 libgnutls-deb0-28 - GNU TLS library - main runtime library
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutls28-dbg - GNU TLS library - debugger symbols
 libgnutls28-dev - GNU TLS library - development files
 libgnutlsxx28 - GNU TLS library - C++ runtime library
Closes: 782776
Changes:
 gnutls28 (3.3.8-7) unstable; urgency=medium
 .
   * 45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
     Pull two patches from upstream to a use-after-free flaw in
     gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
     Closes: #782776
Checksums-Sha1:
 21d56b9a34121f8174eb2b974d2c66e7ae5778a7 2913 gnutls28_3.3.8-7.dsc
 a1c5c7d81c61148c65fe8168ed7bed52f92b9475 90340 gnutls28_3.3.8-7.debian.tar.xz
 cb69010ab40d21838eb89f87afbec2d6e3bb1a2a 680562 libgnutls28-dev_3.3.8-7_i386.deb
 57506ec872921952571767e6ab6e3ad35c645cd6 708722 libgnutls-deb0-28_3.3.8-7_i386.deb
 b8e5fa35c2de0ad535ba4ad4e8e4cd6247b6dd2d 1916172 libgnutls28-dbg_3.3.8-7_i386.deb
 2af3b7040a27e2948a0947177fe728cf153b0c10 309614 gnutls-bin_3.3.8-7_i386.deb
 ad9b39bb8c319182b1af34511b375c2c04490b93 3620666 gnutls-doc_3.3.8-7_all.deb
 065280718c2cfcf582034b981d4011acf6e720d9 175256 guile-gnutls_3.3.8-7_i386.deb
 f9aa86d0c9dcc019ddf1ddaf55ade407e631350e 15406 libgnutlsxx28_3.3.8-7_i386.deb
 7601ddd1f1cd7a27e09e9b1d3a220906600c812a 142890 libgnutls-openssl27_3.3.8-7_i386.deb
Checksums-Sha256:
 53362cab0b80af8e0dc0231180c21df7d3cba6669f10314b531b0b2bebe5f48c 2913 gnutls28_3.3.8-7.dsc
 6840c92aad3e235ced424c05f7506f5a4f711d3eab2a6794f4d3c9a8a3f0161a 90340 gnutls28_3.3.8-7.debian.tar.xz
 608611b976cff0de136868fb44e997cbf8dbae0f545084720df436ee0cab3059 680562 libgnutls28-dev_3.3.8-7_i386.deb
 c670a6073d95bdb1720d7f9e4e8167396e6102111de186904be7c8976f9a6564 708722 libgnutls-deb0-28_3.3.8-7_i386.deb
 1471ead56ad40e90b8d6d97db9b09b92069f7c79528dc5fc05f7382d57c73b3a 1916172 libgnutls28-dbg_3.3.8-7_i386.deb
 55b467289741aae0e8b8db80abce3f647d1201e8035a0e4f155de7a0b26f2125 309614 gnutls-bin_3.3.8-7_i386.deb
 722a82c98c41124736633cf8d0c5b0a1a2de8407cec85c01fae54a74a08017c1 3620666 gnutls-doc_3.3.8-7_all.deb
 5b186e4e68cf4cf5524af021c5f8b17004390e2be132ad9a88899f493652ef1a 175256 guile-gnutls_3.3.8-7_i386.deb
 0a0c86a96e0e973b2ca18ada82a1655304789a1e15d09b55b635fdbd60432440 15406 libgnutlsxx28_3.3.8-7_i386.deb
 5e3ca04f7429c5e1c513ccd3df26c17f97b252977a69a1dac5464bf9c1d32468 142890 libgnutls-openssl27_3.3.8-7_i386.deb
Files:
 3319badd0b4f77ce4b5ee51ee3b18447 2913 libs optional gnutls28_3.3.8-7.dsc
 e954b0f72d026c1336de822801cc0a52 90340 libs optional gnutls28_3.3.8-7.debian.tar.xz
 ee398024017abd7ed659b2dbbf5e2fab 680562 libdevel optional libgnutls28-dev_3.3.8-7_i386.deb
 aad790e9b1614cf8e2bc0ee92ffebb9a 708722 libs standard libgnutls-deb0-28_3.3.8-7_i386.deb
 bf1a63c913c4b3c04092a56baf2b7427 1916172 debug extra libgnutls28-dbg_3.3.8-7_i386.deb
 671c78649afcb3b4f89f1ad06bf04b28 309614 net optional gnutls-bin_3.3.8-7_i386.deb
 69a7abc95d14ad36a074816ca7afd464 3620666 doc optional gnutls-doc_3.3.8-7_all.deb
 eb9fb52ebab3a828bd5e1ec56ac8a483 175256 lisp optional guile-gnutls_3.3.8-7_i386.deb
 8a4704883071154222e6c26a448901a7 15406 libs extra libgnutlsxx28_3.3.8-7_i386.deb
 739c62a8d0dc9d26b3013fe7e26c9ed3 142890 libs standard libgnutls-openssl27_3.3.8-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVMpSfAAoJEKVPAYVDghSE4L4QAJn0IWSjH1kIQbShpRWfEMLq
m8a0CK8JRtzjtK+iBOR8DdatkNIcR7sBntxiTWvHquK/38jorakFnGmVYbDj5x4l
D/oeX+Jgdku59RVDEss0o6Rufb9Wcq0dD5uIxeLj6AsRMPF8KOWfWkXg2VbRMg4Y
1QjxZkvRUx9KxItFN0KhRLuZ9IDW1SYk1RCSAPfUdRoq3auIIJ8q4eONv8mJjsz/
p39mDmIpQ8F3qMM/zfSJr5QNfEqeALTn33ID33MBUi4U1RMiZUSenohayKKCajZO
28TIoJQ1mDlWiL8ZacFzqK+N+4Gjcav2rEjPf6EMtNqr9Sp/Uh0IEJKzAhnYGipN
BwbelNzVR10wJv6GUtLHlox8u9U60N4yxWTdlNQaByqBE0UfKkU3QkPi6pQGYjXs
l1pBJ1x2ReeCBioqVPIJEMkc07gPfU7gplnIzX7D/hBROJN9VrBMoQ7UP6TFDXDR
7oxJKBwdZuhMENYTPv/ax3aeLovl2EcySMc3PsOBpyfs2eUZcWKMK78W8XDgULn3
ZQBd1hh/ay+qg0VzHJZU7nMT8Jaxgs9PXY3Paz+Ah5t1YTxH+tzbYikP9X+Rvgs2
rsJS2GVfDXBE9IWC3Pa90bi7kIJyhhuVpabi7HBjKjDKOFhPT/1cjFr9EfJFlNwv
c5sviT5v+K6BZftlO8X4
=ZSJ5
-----END PGP SIGNATURE-----

Message #26 received at 782776@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Andreas Metzler <ametzler@bebt.de>, 782776@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#782776: CVE-2015-3308

Date: Sun, 19 Apr 2015 06:20:35 +0200

Hi Andreas,

On Sat, Apr 18, 2015 at 07:22:46PM +0200, Andreas Metzler wrote:
> On 2015-04-17 Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Hi Andreas,
> > this was assigned CVE-2015-3308:
> > http://www.openwall.com/lists/oss-security/2015/04/15/6  
> 
> > gnutls in wheezy or squeeze should not be affected, the
> > code was introduced in 3.3 (please double-check).

FYI: Should have been introduced with 3.3.0, yes:
http://gnutls.org/manual/html_node/X509-certificate-API.html#gnutls_005fx509_005fext_005fimport_005fcrl_005fdist_005fpoints-1
(have added accordingly the found version for the BTS).

> > This doesn't seem severe, could you fix this in the first
> > jessie point release?
> 
> Hello,
> 
> I will push an upload to unstable to get some free testing and will try
> to get this fixed in jessie, either with a separate upload or (if jessie
> is delayed) an unblock.

Note that there will proably be no more unblocks now since we are
effectively in deep freeze for the jessie release. So this update will
most likely go trough either a jessie-proposed-update, or a
jessie-security update.

Regards,
Salvatore

Message #33 received at 782776@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@bebt.de>

To: Moritz Muehlenhoff <jmm@debian.org>, 782776@bugs.debian.org

Subject: Re: Bug#782776: CVE-2015-3308

Date: Mon, 27 Apr 2015 20:15:03 +0200

On 2015-04-18 Andreas Metzler <ametzler@bebt.de> wrote:
> On 2015-04-17 Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Hi Andreas,
> > this was assigned CVE-2015-3308:
[..]
> > This doesn't seem severe, could you fix this in the first
> > jessie point release?

> Hello,

> I will push an upload to unstable to get some free testing and will try
> to get this fixed in jessie, either with a separate upload or (if jessie
> is delayed) an unblock.
> cu Andreas

I have submitted a bug for a pu upload, see 783526.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Message #38 received at 782776-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@debian.org>

To: 782776-close@bugs.debian.org

Subject: Bug#782776: fixed in gnutls28 3.3.8-6+deb8u1

Date: Thu, 30 Apr 2015 18:47:17 +0000

Source: gnutls28
Source-Version: 3.3.8-6+deb8u1

We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Metzler <ametzler@debian.org> (supplier of updated gnutls28 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Apr 2015 19:38:26 +0200
Source: gnutls28
Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc guile-gnutls libgnutlsxx28 libgnutls-openssl27
Architecture: source i386 all
Version: 3.3.8-6+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>
Changed-By: Andreas Metzler <ametzler@debian.org>
Description:
 gnutls-bin - GNU TLS library - commandline utilities
 gnutls-doc - GNU TLS library - documentation and examples
 guile-gnutls - GNU TLS library - GNU Guile bindings
 libgnutls-deb0-28 - GNU TLS library - main runtime library
 libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
 libgnutls28-dbg - GNU TLS library - debugger symbols
 libgnutls28-dev - GNU TLS library - development files
 libgnutlsxx28 - GNU TLS library - C++ runtime library
Closes: 782776
Changes:
 gnutls28 (3.3.8-6+deb8u1) jessie; urgency=medium
 .
   * Reupload 3.3.8-7 unchanged for first point release:
     45_eliminated-double-free.diff 46_Better-fix-for-the-double-free.diff:
     Pull two patches from upstream to a use-after-free flaw in
     gnutls_x509_ext_import_crl_dist_points(). CVE-2015-3308
     Closes: #782776
Checksums-Sha1:
 9f7bb3f63597a5d563dea30899cd8c24daff6710 2941 gnutls28_3.3.8-6+deb8u1.dsc
 40a46a3babc277c1f62e43624fd290ab63e5bebf 90332 gnutls28_3.3.8-6+deb8u1.debian.tar.xz
 5467e34c2749258e9a74da950a986c74e86b1d65 680974 libgnutls28-dev_3.3.8-6+deb8u1_i386.deb
 2f64b1f64f552e9175260c5800bffa67d0774103 708626 libgnutls-deb0-28_3.3.8-6+deb8u1_i386.deb
 9d460ce54bb4c4a866ff49f1ebcbc42f56f27b16 1915988 libgnutls28-dbg_3.3.8-6+deb8u1_i386.deb
 ec218c8571b7f7bb28e8e227119e613081a3092d 309756 gnutls-bin_3.3.8-6+deb8u1_i386.deb
 7576528013259188414685f59eaacad1f7c2044c 3620614 gnutls-doc_3.3.8-6+deb8u1_all.deb
 78519c605e9602ba88c27b74661f82b0856a2d22 175344 guile-gnutls_3.3.8-6+deb8u1_i386.deb
 24efe9ac6c0f810f325367e25fb4b0c6f349484e 15426 libgnutlsxx28_3.3.8-6+deb8u1_i386.deb
 e78cf6abdfb7d3e1f8fa0d0c8db3b7173b22d187 142870 libgnutls-openssl27_3.3.8-6+deb8u1_i386.deb
Checksums-Sha256:
 6a80bcbd586254f31607b9ad59e47ad320f286b6e573446a92430be9ceeacf26 2941 gnutls28_3.3.8-6+deb8u1.dsc
 2d71ec37eb28701e27d356ccdd4d1c0cd7f1670710b351c032bf0622fc48e0ab 90332 gnutls28_3.3.8-6+deb8u1.debian.tar.xz
 d0e339fa606ed601444161e9ceb5af4ecc1b8a97a606778dfc7313aa5be5dcd6 680974 libgnutls28-dev_3.3.8-6+deb8u1_i386.deb
 feffa155510c500446b56aa40c7f479c62a0cc8e868d9e911b40ca5175a48df5 708626 libgnutls-deb0-28_3.3.8-6+deb8u1_i386.deb
 894ae0ff2acaa77d36f9b13a171c865daf97bca4acd07663e9a2cfc19629b268 1915988 libgnutls28-dbg_3.3.8-6+deb8u1_i386.deb
 e9619c1c2136a895338fd1debd77ea6f4bae33528cda33499354ff0900df2f89 309756 gnutls-bin_3.3.8-6+deb8u1_i386.deb
 faa80dac23af5dd9cd012775ef44529bef2389d12f5b460c56f443348783f65e 3620614 gnutls-doc_3.3.8-6+deb8u1_all.deb
 4c02bf6daf6221cfb27a0d61fe8731abb9500e244db875567ab5b27315faec15 175344 guile-gnutls_3.3.8-6+deb8u1_i386.deb
 1910cb83b0dd80f4294193c1caadd49501db3bb28c5bbed2565173a75565faa9 15426 libgnutlsxx28_3.3.8-6+deb8u1_i386.deb
 bc9e2e975e0e1e746d85229e7ce143b479ec27db188af4f35a933dfb5d2f3012 142870 libgnutls-openssl27_3.3.8-6+deb8u1_i386.deb
Files:
 6a513fd1492d68111d2bea50d64b54bf 2941 libs optional gnutls28_3.3.8-6+deb8u1.dsc
 160c6aae89777b3c8750e83ec58b8d2c 90332 libs optional gnutls28_3.3.8-6+deb8u1.debian.tar.xz
 98f66c96e7ec1106439b1255be75ce6c 680974 libdevel optional libgnutls28-dev_3.3.8-6+deb8u1_i386.deb
 55f574504b2ff5033ecfa818b8d22b1e 708626 libs standard libgnutls-deb0-28_3.3.8-6+deb8u1_i386.deb
 5ccbdae6098685820942ccf33bed3bb0 1915988 debug extra libgnutls28-dbg_3.3.8-6+deb8u1_i386.deb
 1ecc3ae68705a5fe2f86f743c97018f8 309756 net optional gnutls-bin_3.3.8-6+deb8u1_i386.deb
 88fae49eecc4ce176d71e27ef07e5d87 3620614 doc optional gnutls-doc_3.3.8-6+deb8u1_all.deb
 217619a3f9842280a701821bdf8371c1 175344 lisp optional guile-gnutls_3.3.8-6+deb8u1_i386.deb
 0b248dd3c20f3955a37e4a7135e72d41 15426 libs extra libgnutlsxx28_3.3.8-6+deb8u1_i386.deb
 eef97b4956904e41418fe290b3f3021e 142870 libs standard libgnutls-openssl27_3.3.8-6+deb8u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVQQxDAAoJEKVPAYVDghSEif4QAJIPqG81tHODGrh66xNXFGCY
Q+/hHZHPhyKjUt2Dd0E6PMd0YM1imdK5wqcYYRnihiLKw+A1xI9X/Zj6x0szVfJs
GfYaNPRCJbB2HQ4BVVKfRLXxlaop51p9GABykMfw+hZZAN6OX/OP4GiTxoi6nKgx
9Bqay4ogcMdDbAWnJQkVM83wm/6/65EFfuPsodxl+lwoIPYo3KCsE/6RU/Zw//Mm
L5dgrQvS3/nspjWybZpsJNCsebU1MVbXkMQ/uzYtPYje6iB53QZZPhFiGRRtXX1O
udCVv1+zhMhiTNQqNFO7hkh9lrKu2tztFQq3aZL3TuADocuk4B8FC6Bun1J+68t6
STFYKqkTreUvlkQmiTc3nKTZreBm/rRB9+opSK+bAGafnlW/E+mVlHTTFNJtdEe0
hg9FwTHV/J4AquPsjnDhBX64Pq4JuXHIneUpTfyjYLmTUcCdjoSm/zzAFphegTlE
OmpEb2h6FJBjwJZFlx2jCgcCe7WU2RVhJ1sWiXQLsYAcfhzwAkYC0zJ2kweYvBQo
N7+8t7nCE2FfQ9suxVi7+4A1ESwNCisr4SU24Ux27JQzKrsPWylsl7/uWFGnlH5A
sQBVzAhVwzZQ7Vrfvvuwu8D0+U529rYH6SE9utl/3ZST4WrCwqUEUwxvnEiq67ZZ
x5k4sJUakDfFlOu0gclW
=YNk+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.