Bug#752610: lynx: Can connect to CVE-2014-1959 test site

Wed Jun 25 07:03:25 UTC 2014

Package: lynx-cur, libgnutls26
Severity: serious
Tags: security

Hi,

There is a test site for checking the gnutls bug:
https://gnutls.notary.icsi.berkeley.edu/

I can connect to it and get the message:
   If you see this without getting a certificate error you are
   vulnerable against the GnuTLS bug

I can reproduce this with the following combinations:
stable:
ii  libgnutls26:amd64  2.12.20-8+deb7u2
ii  lynx-cur           2.8.8dev.12-2

And testing:
ii  libgnutls26:amd64  2.12.23-16
ii  lynx-cur           2.8.8pre5-1

Using gnutls-bin gnutls-bin 3.0.22-3+really2.12.20-8+deb7u2 I also
get:
$ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 159 CA certificate(s).
Resolving 'gnutls.notary.icsi.berkeley.edu'...
Connecting to '192.150.187.13:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

While with 3.3.2-2 I get:
$ gnutls-cli -p 443 gnutls.notary.icsi.berkeley.edu --x509cafile /etc/ssl/certs/ca-certificates.crt
Processed 168 CA certificate(s).
Resolving 'gnutls.notary.icsi.berkeley.edu'...
Connecting to '192.150.187.13:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=gnutls.notary.icsi.berkeley.edu,OU=ICSI GnuTLS Crt,O=ICSI GnuTLS Test Cert.', issuer `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-08-28 14:51:35 UTC', expires `2015-08-28 14:51:35 UTC', SHA-1 fingerprint `b20c942cd0dd72cd5a02b697ba6862064727f3d9'
        Public Key ID:
                c9952718d6b2c42cd432b9d8c0f0730ab3286c9d
        Public key's random art:
                +--[ RSA 2048]----+
                |  .o ..=o.       |
                |   .o =.*o..     |
                |  o o+.*.o+ .    |
                |...+o+o..o o     |
                |oo.E.   S        |
                |o                |
                |                 |
                |                 |
                |                 |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certificates.godaddy.com/repository,CN=Go Daddy Secure Certification Authority,serialNumber=07969287', issuer `C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-16 01:54:37 UTC', expires `2026-11-16 01:54:37 UTC', SHA-1 fingerprint `7c4656c3061f7f4c0d67b319a855f60ebc11fc44'
- Status: The certificate is NOT trusted. The certificate issuer is not a CA.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

The 3.3.2-2 version is linked to libgnutls28 of course.

Kurt