GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]
simon at josefsson.org
Mon May 19 20:58:16 CEST 2008
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> On 2008-05-19 Simon Josefsson <simon at josefsson.org> wrote:
>> Andreas Metzler <ametzler at downhill.at.eu.org> writes:
>> > The fix for this one (gnutls_cipher.c) breaks clean end of session:
>> Sigh! If you add -d 4711 what does it say? I'm trying to reproduce
>> this now.
> I am attaching logs for both 2.2.3 and 2.2.4 for easy comparison.
> |<7>| RB: Have 5 bytes into buffer. Adding 32 bytes.
> |<7>| RB: Requested 37 bytes
> |<4>| REC[8073cb8]: Short record length 32 < 16 + 20 (under attack?)
> |<2>| ASSERT: gnutls_cipher.c:461
> |<2>| ASSERT: gnutls_record.c:999
Ok, the debug message printing check was incorrect. Sigh...
The patch below still catch the exploit but works with a proper server
that sends a short reply. Can you test this?
diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index f071710..e16ad1f 100644
@@ -453,15 +453,6 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
- if (ciphertext.size < (unsigned) blocksize + hash_size)
- ("REC[%x]: Short record length %d < %d + %d (under attack?)\n",
- session, ciphertext.size, blocksize, hash_size);
- gnutls_assert ();
- return GNUTLS_E_DECRYPTION_FAILED;
/* actual decryption (inplace)
@@ -515,6 +506,9 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
if ((int)pad > (int)ciphertext.size - hash_size)
+ ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
+ session, pad, ciphertext.size, hash_size);
/* We do not fail here. We check below for the
* the pad_failed. If zero means success.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 419 bytes
Desc: not available
More information about the Gnutls-devel