Bug#514807: Regression in libgnutls security update

[Simon Josefsson]

Edward Allcutt <emallcut at gleim.com> writes:

> Dear team,
>
> The recent updates for libgnutls fixed CVE-2008-4989. Unfortunately (at 
> least in my opinion) this also subtly changed the semantics of trusted 
> certificate lists. Version 1 X509 certificates in the list are no longer 
> trusted as CAs unless an extra flag is set.

The CVE-2008-4989 problem was that parts of the chain validation
algorithm was not executed properly.  Rejecting V1 CA's is one of those
parts, so I believe this is the intended consequence of the
CVE-2008-4989 fix.

> Several users of libgnutls (I've had the problem with nss_ldap, pam_ldap 
> and apache2 mod_authnz_ldap) assume that all certificates in the list 
> will be implicitly trusted. See #514807.
>
> This change actually brings gnutls in line with its documentation, 
> however it is still a change in behavior that I think is unsuitable for 
> a stable security update.
>
> I believe this is a significant regression in stable because at least 
> one widely used CA (godaddy) still issues certificates with a chain 
> ending in a v1 root (ValiCert Class 2). Godaddy appears to have a newer 
> v3 root but I don't know how widely deployed this is. It is not in the 
> etch ca-certificates package for example.
>
> This also affects the same set of packages in lenny. I suppose the 
> "right" way to solve it in lenny would be to patch all the libgnutls 
> users which assume v1 CAs should be trusted. However I'm not sure of the 
> reaction to filing several possibly RC bugs at this point.

This would leave users exposed to the security problems inherent with V1
CAs, which seems like a bad thing.  The proper fix is for users to move
away from all V1 CAs.

What can be done here is to produce better documentation, perhaps in
release notes.  People must be aware that trusting X.509 certificate
chains containing RSA-MD5 signatures or V1 CAs is insecure.

/Simon