[Bug 1166634] Re: gnutls26 crashes on particularly malformed crypt stream
Ubuntu Foundations Team Bug Bot
1166634 at bugs.launchpad.net
Sat Apr 13 00:16:26 UTC 2013
The attachment "CVE-2013-1619-crash.patch" seems to be a patch. If it
isn't, please remove the "patch" flag from the attachment, remove the
"patch" tag, and if you are a member of the ~ubuntu-reviewers,
unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-1619
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1166634
Title:
gnutls26 crashes on particularly malformed crypt stream
Status in “gnutls26” package in Ubuntu:
New
Bug description:
The patch for CVE-2013-1619 has a bug. It fails to do proper range
protection. The attached patch may not be correct insofar as
reintroducing a timing exposure; but it does stop the segfaults, which
are perhaps more problematic.
This is a security issue becuase crashes in libgnutls are inherently
security issues.
I triggered this by trying to access https URLs via an "all_proxy" in
libcurl-gnutls.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1166634/+subscriptions
More information about the foundations-bugs
mailing list