Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 489262 (CVE-2013-4466)

Summary: <net-libs/gnutls-3.2.5: libdane buffer overflow (CVE-2013-4466)
Product: Gentoo Security Reporter: Mikle Kolyada (RETIRED) <zlogene>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alonbl, crypto+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2013/q4/173
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-24 14:34:18 UTC 
from ${URL}:

Hi,

GNUTLS just posted a security adivsory which needs a CVE:

http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
GNUTLS-SA-2013-3
Denial of service
This vulnerability affects the DANE library of gnutls 3.1.x and gnutls
3.2.x. A server that returns more 4 DANE entries could corrupt the memory
of a requesting client.  Recommendation: Upgrade to the latest gnutls
version (3.1.15 or 3.2.5)

Commit for 3.1:
https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db

Commit for 3.2:
https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3

Ciao, Marcus
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-24 20:10:38 UTC 
gnutls-3.2.5 in tree
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-25 11:42:22 UTC 
(In reply to Alon Bar-Lev from comment #1)
> gnutls-3.2.5 in tree

thanks, cleanup old vuln. versions, please,
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2013-10-25 11:47:41 UTC 
(In reply to Mikle Kolyada from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > gnutls-3.2.5 in tree
> 
> thanks, cleanup old vuln. versions, please,

this is non stable package, and not trivial changes since last, we should allow people to revert.
Comment 4 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-25 14:09:38 UTC 
The fact that it's unstable means that there is the possibility of breakage. Leave it for a little while if you want, but the old versions do need to go.
Comment 5 Sergey Popov (RETIRED) gentoo-dev 2013-10-27 12:22:57 UTC 
(In reply to Alon Bar-Lev from comment #3)
> this is non stable package, and not trivial changes since last, we should
> allow people to revert.

to clarify - we want 3.2.3 and 3.2.4 go from tree, not 2.x
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 00:56:41 UTC 
<3.2.5 seems to be gone from tree, closing.
OSZAR »