gnutls heartbleed equivalent?

David Tomaschik david at
Tue Jun 3 01:51:33 CEST 2014

It's actually a memory corruption leading to remote code execution, though
it's not clear how reliable the RCE is.  (Possibly, if you can heap spray
the client?)

Technical analysis here:
 Affects clients only.

On Mon, Jun 2, 2014 at 4:32 PM, Doug Barton <dougb at> wrote:

> I'm noticing this in today's Ubuntu updates:
> SECURITY UPDATE: memory corruption due to server hello parsing
> -debian/patches/CVE-2014-3466.patch: validate session_id_len in
> lib/gnutls_handshake.c
> I haven't looked at the code, and the CVE referenced is simply reserved,
> not populated yet. But that description sounds like it's at best a very
> close cousin to our friend heartbleed ...
> curious,
> Doug
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

David Tomaschik
OpenPGP: 0x5DEA789B
david at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140602/95e08119/attachment.html>

More information about the Gnupg-users mailing list