[Ach] GnuTLS Buffer-overflow in ServerHello SessionID parsing
Aaron Zauner
azet at azet.org
Sun Jun 1 15:57:42 CEST 2014
:/
https://bugzilla.redhat.com/show_bug.cgi?id=1101932
```
A flaw was found in the way GnuTLS parsed session ids from Server
Hello packets of the TLS/SSL handshake. A malicious server could
use this flaw to send an excessively long session id value and
trigger a buffer overflow in a connecting TLS/SSL client using
GnuTLS, causing it to crash or, possibly, execute arbitrary code.
The flaw is in read_server_hello() / _gnutls_read_server_hello(),
where session_id_len is checked to not exceed incoming packet size,
but not checked to ensure it does not exceed maximum session id
length:
https://www.gitorious.org/gnutls/gnutls/source/8d7d6c6:lib/gnutls_handshake.c#L1747
```
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140601/3f5ea3d0/attachment.sig>
More information about the Ach
mailing list