Massive security flaw in GNU/Linux crypto code


#1

[Permalink]


#2

On FreeBSD it's probably best to set
WITHOUT_GNUTLS in /etc/make.conf and rebuild all your ports.

Programs that require gnutls can be seen at http://www.freshports.org/security/gnutls/

Hopefully SELinux gets an audit asap.


#3

However, most Linux apps (including browsers running on Linux) use OpenSSL, not GNUTLS, so the impact is less than the headlines would indicate.


#4

The GnuTLS lib is not very widely used, most apps use OpenSSL or NSS. The most prominent GnuTLS users are Mutt and some configurations of curl (a command-line http client).


#5

Doesn't Debian use gnutls heavily?

I've never run debian but someone once upon a time told me that and I just accepted it as truth because I had no need to verify it.


#6

Looking at my system, it is a bit of a mixed bag.

Packages depending on
libcurl3-gnutls: 368
libgnutls26: 295
libgnutls28: 23

libssl1.0.0: 818
openssl: 93
libcurl3 (openssl flavour): 94


#7

No pattern here, nope. No possibility of such a thing, either. Of course not. That would be paranoid.


#8

Any tips for those of us unable to install or update anything due to repository issues?

Aside from back up and finally try to install another version and hope the installer doesn't crash partway through breaking everything again?

I have an old Ubuntu installation on my machine. I haven't updated because Unity, because new versions break basic tools like scrollbars and break accessibility features, and because adware. I haven't been able to install or update anything for some time, because of repository issues.

[edit function broken again]


#9

Since the GnuTLS error dates back to 2005, and the iOS error began in 2012, the only pattern I see here is coders not fully testing their error handling. Sometimes an error is just an error.


#10

Aye, I'm still using 10.04, because I hate Unity, and 12 plays merry hell with my displays.


#11

I agree entirely that sometimes an error is just an error.

Errors can form patterns and they're worth not discounting out of hand (not saying you did), even if most theories are totally wrong, most violations of trust are disguised as errors by the perpetrators. .


#12

The GNUTLS code is terrible though, they ignore common coding conventions and have it set up in a way that makes it difficult to integrate into real programs. It's just badly designed. The fact that an error like this existed was almost inevitable.

This is going to be a bit technical, so hold on.

The error is a mishandling of an error code from a function. By convention in C, you return 0 on success, and non-zero in case of failure. The number you return is generally either -1, or an error code. GNUTLS did the opposite, 0 is failure and 1 is success. When a different programmer in 2005 went and refactored the code, he forgot to account for this and programmed the thing assuming the certificate check returned normal error codes. It's a stupid bug, but it's one that is far too easy to make by accident given the rest of the codebase.


#13

I've got sensory issues. I can't use kde because of how it handles screen brightness, and can't use certain computers because they're too noisy or too bright [sometimes even the dimmest setting is still too bright to look at]. So when ou say 12 "plays merry hell with my displays," I suspect it inflicts a whole 'nother sensory nightmare.


#14

My sympathies. No, my problem is just getting both monitors to behave. They're dropping support for 10.04 this year I believe. I'm going elsewhere.


#15

Yeah. They already dropped support for the version I use - I think the only version that supports the patches and fixes I need.


#16

I'm running 13.04, but switched it to lxde, which seems to be a reasonable compromise between keeping up to date and not being driven insane by the UI. I actually tried Unity for awhile under the assumption that people on the internet are just haters and like to complain, but it really is as bad as they say. I couldn't figure out how to do a bunch of basic tasks, stuff that became immediately obvious once I switched to lxde.

I gave it a good shot too. Over two months before finally throwing in the towel. I guess you don't have to be Microsoft to totally screw up a user interface.


#17

Wow - so there being no pattern was the actual problem!


#18

My cousin's feller worked for Canonical for a bit, and worked with Shuttleworth a few times. He's under the impression he's fucking mental. Unity only goes to prove his supposition.


#19

According to the same page, the security flaw was addressed on march 4th. It doesn't explicitly state to rebuild anything depending on gnutls after updating it, but I figure it wouldn't hurt.


#20

It didn't change the API to the library, so you shouldn't need to rebuild dependent apps unless they're statically linked--which they shouldn't be.