According to the Martin von Gagem, http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 there is X.509 trust chains validation failure that allows man in the middle to assume any DN and trick GNU TLS clients into trusting that name. Fix: The following VuXML entry should be added: I am assuming that the maintainer will update the port to the version 2.4.2 (the latest one from the 2.4 branch) or to 2.6.1. One can drop 2.6.x from the VuXML entry if he won't planning to introduce GnuTLS 2.6.x to the ports or he is planning to update to GnuTLS >= 2.6.1. I had extracted the patch from the http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 and had applied it to the 2.4.2. Obtained from: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 Remarks: applied original patch to 2.4.2 and diffed the sources again --- lib/x509/verify.c.orig 2008-09-16 00:04:19.000000000 +0400 +++ lib/x509/verify.c 2008-11-14 16:06:59.000000000 +0300 @@ -376,6 +376,17 @@ int i = 0, ret; unsigned int status = 0, output; + /* Check if the last certificate in the path is self signed. + * In that case ignore it (a certificate is trusted only if it + * leads to a trusted party by us, not the server's). + */ + if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], + certificate_list[clist_size - 1]) > 0 + && clist_size > 0) + { + clist_size--; + } + /* Verify the last certificate in the certificate path * against the trusted CA certificate list. * @@ -414,17 +425,6 @@ } #endif - /* Check if the last certificate in the path is self signed. - * In that case ignore it (a certificate is trusted only if it - * leads to a trusted party by us, not the server's). - */ - if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], - certificate_list[clist_size - 1]) > 0 - && clist_size > 0) - { - clist_size--; - } - /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) --- gnutls-2.4.2-CVE-2008-4989.patch ends here --- I had made a quick patch to update to 2.4.2. It works for me and fixes the CVS in question: How-To-Repeat: Look at http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217 http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215 http://www.gnu.org/software/gnutls/security.html
Responsible Changed From-To: freebsd-ports-bugs->novel Over to maintainer (via the GNATS Auto Assign Tool)
I suggest that we just upgrade to 2.6.2, to take advantage of the other improvements that have been made, in addition to the security fixes. There have been additions to the API/ABI, but AFAIK no changes or breakage. The attached patch upgrades to 2.6.2 -- lzo now depends on an external library, bundled opencdk code is always used, and the libcfg dependency is taken into account. I sorted the manpages after adding the new ones, and added a test target. Also, I used the PORTEXAMPLES macro, and respected NOPORTEXAMPLES. The maintainer may wish to enable the new Opaque PRF Input TLS Extension (c.f. http://www.gnu.org/software/gnutls/manual/html_node/Opaque-PRF-Input-TLS-Extension.html ) with the appropriate addition to CONFIGURE_ARGS. I left it at the default (off) setting. Regards, b.
novel 2008-11-16 08:47:08 UTC FreeBSD ports repository Modified files: security/gnutls Makefile distinfo Added files: security/gnutls/files patch-CVE-2008-4989 Log: - Update to 2.4.2 - Fix CVE-2008-4989 PR: 128868 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Revision Changes Path 1.67 +1 -2 ports/security/gnutls/Makefile 1.29 +3 -3 ports/security/gnutls/distinfo 1.1 +38 -0 ports/security/gnutls/files/patch-CVE-2008-4989 (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
bf wrote: > I suggest that we just upgrade to 2.6.2, to take advantage of the other > improvements that have been made, in addition to the security fixes. > There have been additions to the API/ABI, but AFAIK no changes or breakag= e. >=20 > The attached patch upgrades to 2.6.2 -- lzo now depends on an external > library, bundled opencdk code is always used, and the libcfg dependency is > taken into account. I sorted the manpages after adding the new ones, and > added a test target. Also, I used the PORTEXAMPLES macro, and respected > NOPORTEXAMPLES. >=20 > The maintainer may wish to enable the new Opaque PRF Input TLS Extension > (c.f. >=20 > http://www.gnu.org/software/gnutls/manual/html_node/Opaque-PRF-Input-TLS-= Extension.html >=20 > ) with the appropriate addition to CONFIGURE_ARGS. I left it at the=20 > default (off) setting. I will update it to 2.6.x as soon as slush is over. Roman Bogorodskiy
stas 2008-11-16 09:59:35 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document the recent chain validation vulnerability in gnutls. PR: ports/128868 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> (based on) Revision Changes Path 1.1751 +33 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Eygene Ryabinkin wrote: > Roman, good day. > > Sun, Nov 16, 2008 at 11:50:56AM +0300, Roman Bogorodskiy wrote: > > I will update it to 2.6.x as soon as slush is over. > > The patch from the upstream for 2.4.2 suffered from the segfault > for the chain that contains just the self-signed certificate. It > was discovered by Debian people and GnuTLS developers and fixes are > available: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505279 > http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3216/focus=3230 > > I had mildly tested the attached patch and it works for me. > Instead of dropping another patch to 'files/', you can just delete > the first hunk of the original patch. I see. I will fix it later today. > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # Roman Bogorodskiy
pav 2008-11-19 10:36:46 UTC FreeBSD ports repository Modified files: security/gnutls Makefile security/gnutls/files patch-CVE-2008-4989 Log: - Fix the patch for CVE-2008-4989 not to cause segfaults on runtime anymore PR: ports/128868 Obtained from: vendor Revision Changes Path 1.68 +1 -0 ports/security/gnutls/Makefile 1.2 +0 -18 ports/security/gnutls/files/patch-CVE-2008-4989 _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!