[Bug 1166634] Re: gnutls26 crashes on particularly malformed crypt stream
Jamie Strandboge
jamie at ubuntu.com
Fri Apr 12 21:21:45 UTC 2013
Assigning to mdeslaur since he provided the update initially.
** Information type changed from Private Security to Public Security
** Changed in: gnutls26 (Ubuntu)
Assignee: (unassigned) => Marc Deslauriers (mdeslaur)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1166634
Title:
gnutls26 crashes on particularly malformed crypt stream
Status in “gnutls26” package in Ubuntu:
New
Bug description:
The patch for CVE-2013-1619 has a bug. It fails to do proper range
protection. The attached patch may not be correct insofar as
reintroducing a timing exposure; but it does stop the segfaults, which
are perhaps more problematic.
This is a security issue becuase crashes in libgnutls are inherently
security issues.
I triggered this by trying to access https URLs via an "all_proxy" in
libcurl-gnutls.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1166634/+subscriptions
More information about the foundations-bugs
mailing list