[Bug 1166634] Re: gnutls26 crashes on particularly malformed crypt stream

Fri May 31 13:24:52 UTC 2013

That patch was released here:

http://www.ubuntu.com/usn/usn-1843-1/

I'm closing this bug. If the issue is still present with that upstream
commit, feel free to re-open it.

Thanks!

** Changed in: gnutls26 (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1166634

Title:
  gnutls26 crashes on particularly malformed crypt stream

Status in “gnutls26” package in Ubuntu:
  Fix Released

Bug description:
  The patch for CVE-2013-1619 has a bug.  It fails to do proper range
  protection.  The attached patch may not be correct insofar as
  reintroducing a timing exposure; but it does stop the segfaults, which
  are perhaps more problematic.

  This is a security issue becuase crashes in libgnutls are inherently
  security issues.

  I triggered this by trying to access https URLs via an "all_proxy" in
  libcurl-gnutls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1166634/+subscriptions