gnutls 3.3.13 double-free in parsing CRL distribution points

2015-04-15 / 2015-09-02

Credit: Robert Święcki

Risk: High

Local: No

Remote: Yes

CVE: CVE-2015-3308

CWE: N/A

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

gnutls 3.3.14 fixes a double-free in parsing CRL distribution points.

It will affect applications which parse CRL distribution points or
print contents of certificates with gnutls-provided functions (e.g.
gnutls_x509_crt_print())

Usually a DoS under modern mem allocators, but creating something more
interesting using double-free exploitation techniques is not out of
the question

changelists:
https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02

-- 
Robert Święcki

lib/x509/x509_ext.c
 
@@ -2360,7 +2360,6 @@ int gnutls_x509_ext_import_crl_dist_points(const gnutls_datum_t * ext,
  
 	if (ret < 0 && ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
 		gnutls_assert();
-		gnutls_free(san.data);
 		goto cleanup;
 	}

References:

https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9

https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02

http://seclists.org/oss-sec/2015/q2/152

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

gnutls 3.3.13 double-free in parsing CRL distribution points

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.