1 Source:

     2 http://www.gnutls.org/security.html

     3 Info:

     4 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116

     5 The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 

     6 2.12.23 allows remote attackers to cause a denial of service (buffer over-read 

     7 and crash) via a crafted padding length. NOTE: this might be due to an 

     8 incorrect fix for CVE-2013-0169.

     9 Status:

    10 Need to determine if this patch has been sent upstream.

    11 

    12 --- gnutls-2.8.6/lib/gnutls_cipher.c.orig	2013-06-04 12:03:39.812680465 +0530

    13 +++ gnutls-2.8.6/lib/gnutls_cipher.c	2013-06-04 12:02:56.766612394 +0530

    14 @@ -554,6 +554,8 @@ _gnutls_ciphertext2compressed (gnutls_se

    15  	}

    16  

    17        pad = ciphertext.data[ciphertext.size - 1];   /* pad */

    18 +      if (pad+1 > ciphertext.size-hash_size)

    19 +        pad_failed = GNUTLS_E_DECRYPTION_FAILED;

    20  

    21        /* Check the pading bytes (TLS 1.x).

    22         * Note that we access all 256 bytes of ciphertext for padding check