Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records. The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow. An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server. Announcements of 3.1.15 and 3.2.5 versions: http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006511.html http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006512.html Upstream commits (master and 3.1 branch): https://gitorious.org/gnutls/gnutls/commit/ed51e5e53cfbab3103d6b7b85b7ba4515e4f30c3 https://gitorious.org/gnutls/gnutls/commit/916deedf41604270ac398314809e8377476433db DANE support was introduced upstream in version 3.1.3.
mingw-gnutls packages in Fedora (19+) currently use GnuTLS version with DANE support, but it's not compiled in because of missing unbound. Excerpt from build.log: checking whether to build libdane... yes checking for unbound library... no configure: WARNING: *** *** libunbound was not found. Libdane will not be built. *** Hence those packages are not affected.
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1022926]
Upstream advisory id is GNUTLS-SA-2013-3: http://www.gnutls.org/security.html#GNUTLS-SA-2013-3
gnutls-3.1.15-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: Not vulnerable. This issue did not affect the versions of gnutls as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for DANE protocol.
New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original fix, found by Tomas Mraz: http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006544.html http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006543.html Commits in upstream git (master and 3.1 branch): https://gitorious.org/gnutls/gnutls/commit/0dd5529509e46b11d5c0f3f26f99294e0e5fa6dc https://gitorious.org/gnutls/gnutls/commit/ad6a243b5ad219fda7511d4cbc1f73d77414db77
(In reply to Tomas Hoger from comment #7) > New GnuTLS versions 3.1.16 and 3.2.6 correct off-by-one bug in the original > fix This problem got new CVE CVE-2013-4487, tracked via bug 1025637.
gnutls-3.1.16-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.