Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200609-15 ] GnuTLS: RSA Signature Forgery
Date: Tue, 26 Sep 2006 16:19:57
Message-Id: 200609261728.02804.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200609-15
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: GnuTLS: RSA Signature Forgery
9 Date: September 26, 2006
10 Bugs: #147682
11 ID: 200609-15
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 GnuTLS fails to handle excess data which could allow an attacker to
19 forge a PKCS #1 v1.5 signature.
20
21 Background
22 ==========
23
24 GnuTLS is an implementation of SSL 3.0 and TLS 1.0.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-libs/gnutls < 1.4.4 >= 1.4.4
33
34 Description
35 ===========
36
37 verify.c fails to properly handle excess data in
38 digestAlgorithm.parameters field while generating a hash when using an
39 RSA key with exponent 3. RSA keys that use exponent 3 are commonplace.
40
41 Impact
42 ======
43
44 Remote attackers could forge PKCS #1 v1.5 signatures that are signed
45 with an RSA key, preventing GnuTLS from correctly verifying X.509 and
46 other certificates that use PKCS.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All GnuTLS users should update both packages:
57
58 # emerge --sync
59 # emerge --update --ask --verbose ">=net-libs/gnutls-1.4.4"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2006-4790
65 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4790
66
67 Availability
68 ============
69
70 This GLSA and any updates to it are available for viewing at
71 the Gentoo Security Website:
72
73 http://security.gentoo.org/glsa/glsa-200609-15.xml
74
75 Concerns?
76 =========
77
78 Security is a primary focus of Gentoo Linux and ensuring the
79 confidentiality and security of our users machines is of utmost
80 importance to us. Any security concerns should be addressed to
81 security@g.o or alternatively, you may file a bug at
82 http://bugs.gentoo.org.
83
84 License
85 =======
86
87 Copyright 2006 Gentoo Foundation, Inc; referenced text
88 belongs to its owner(s).
89
90 The contents of this document are licensed under the
91 Creative Commons - Attribution / Share Alike license.
92
93 http://creativecommons.org/licenses/by-sa/2.5