[Pkg-gnutls-maint] Bug#465197: gnutls26: wrong length returned for gnutls_x509_crt_get_subject_alt_name()
Steve Langasek
vorlon at debian.org
Mon Feb 11 08:12:17 UTC 2008
Package: libgnutls26
Version: 2.2.1-3
Severity: important
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu
Hi folks,
In debugging a regression introduced in OpenLDAP when switching from OpenSSL
to GnuTLS in the latest upstream version, it's come to light that this is a
bug in gnutls_x509_crt_get_subject_alt_name(), and a regression in GnuTLS
2.0.4 vs. GnuTLS 1.7:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
Even though all other OIDs are returned with a size excluding any final
newline, this change causes subject alt names to have a trailing newline
appended - which, moreover, is added *after* the check for the buffer size,
so this is a potential buffer overflow.
This is discussed with OpenLDAP upstream at
<http://www.openldap.org/its/index.cgi?findid=5361>.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-gnutls-maint
mailing list