[Secure-testing-team] Bug#769154: gnutls28: CVE-2014-8564: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)
Salvatore Bonaccorso
carnil at debian.org
Tue Nov 11 19:53:10 UTC 2014
Source: gnutls28
Version: 3.3.8-3
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for gnutls28.
CVE-2014-8564[0]:
Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)
| An out-of-bounds memory write flaw was found in the way GnuTLS parsed
| certain ECC (Elliptic Curve Cryptography) certificates or certificate
| signing requests (CSR). A malicious user could create a specially
| crafted ECC certificate or a certificate signing request that, when
| processed by an application compiled against GnuTLS (for example,
| certtool), could cause that application to crash or execute arbitrary
| code with the permissions of the user running the application.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8564
[1] http://www.gnutls.org/security.html#GNUTLS-SA-2014-5
[2] https://gitorious.org/gnutls/gnutls/commit/e821e1908686657a45c1b735f6d077b7a8493e2b
(3.3.x branch)
Regards,
Salvatore
More information about the Secure-testing-team
mailing list