On Mon, Mar 3, 2014 at 7:22 AM, Nikos Mavrogiannopoulos <[email protected]> wrote:
> This fixes is an important (and at the same time embarrassing) bug > discovered during an audit for Red Hat. Everyone is urged to upgrade. > The git branches of older releases (e.g., 2.12.x), were also updated > with patches to the issue as they are also vulnerable. I'll provide more > information on the issue the next few days. Hello, It seems that this bug got quite some publicity and I even started receiving mail from random people. If anyone has any suggestions on gnutls project workflow please post it here, and (more important) volunteer to take up some work. Judging is easy, doing the actual work isn't. So here are few more words on the specific issue. The bug was introduced around the 1.0.0 version, and went for quite long time undetected, I believe for the following reason mainly: 1. This bug cannot be detected by any certificate validation tests; prior to any release gnutls is tested against a certificate validation path suite (developed to test X.509 path validation for USA's DoD), but that couldn't help detect the issue. It didn't help with any of the other issues that had been detected in the X.509 path validation code of gnutls, so we have an additional suite developed in-house. That didn't help with the issue either because it requires a specially crafted certificate (and I'm not revealing more details on that yet). 2. This bug can only be detected by code audit, which doesn't happen often (it's not a fun thing to do). 3. As this code was on a critical part of the library it was touched and thus read, very rarely. Moreover, the code in question followed the usual form of error checking in the library 'if(err<0) return err', making it look correct, unless one would notice that the function returned a boolean value (and we have very few such functions in the library). Of course the bug was introduced by me and I am fully responsible for it. That's my last mail on the topic. Shit happens; we flush and go on. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
