Source:
http://www.gnutls.org/security.html
Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466
Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in
GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote
servers to cause a denial of service (memory corruption) or possibly execute
arbitrary code via a long session id in a ServerHello message.
Status:
Need to determine if this patch has been sent upstream.
--- gnutls-2.8.6/lib/gnutls_handshake.c.orig 2014-06-05 10:04:17.494148857 +0530
+++ gnutls-2.8.6/lib/gnutls_handshake.c 2014-06-05 10:05:44.462058226 +0530
@@ -1518,7 +1518,7 @@ _gnutls_read_server_hello (gnutls_sessio
DECR_LEN (len, 1);
session_id_len = data[pos++];
- if (len < session_id_len)
+ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
{
gnutls_assert ();
return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;