[gnutls-devel] OCSP certificate check

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Sep 19 11:36:33 CEST 2016


On Fri, Sep 2, 2016 at 6:31 PM, Stefan Bühler <stbuehler at lighttpd.net> wrote:
> Hi,
> some days ago I discovered that the OCSP certificate check doesn't
> actually verify the serial length and might succeed when it shouldn't:
> https://gitlab.com/gnutls/gnutls/blob/9bb4ca9ec8ed504429d582ac3de28aaf8d88b1e8/lib/x509/ocsp.c#L1322
> `rserial.size != cserial.size` is never true, as `cserial.size`
> was initialized with `rserial.size`, and none of them gets
> changed; `t` is actually changed by `gnutls_x509_crt_get_serial`
> and should get checked; otherwise it might compare whatever bytes
> `gnutls_malloc` left at the end.
[...]
> Any other interpretations? Should this get a CVE?

It has been assigned CVE-2016-7444.
http://seclists.org/oss-sec/2016/q3/549



More information about the Gnutls-devel mailing list