[Ach] GnuTLS Buffer-overflow in ServerHello SessionID parsing
azet at azet.org
Sun Jun 1 15:57:42 CEST 2014
A flaw was found in the way GnuTLS parsed session ids from Server
Hello packets of the TLS/SSL handshake. A malicious server could
use this flaw to send an excessively long session id value and
trigger a buffer overflow in a connecting TLS/SSL client using
GnuTLS, causing it to crash or, possibly, execute arbitrary code.
The flaw is in read_server_hello() / _gnutls_read_server_hello(),
where session_id_len is checked to not exceed incoming packet size,
but not checked to ensure it does not exceed maximum session id
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Digital signature
More information about the Ach