GnuTLS certificate verification vulnerability announced (CVE-2014-0092)
The GnuTLS team has their announcement at http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 but the announcement with details seems to be Red Hat's at https://rhn.redhat.com/errata/RHSA-2014-0247.html
"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."
40 comments
[ 3.7 ms ] story [ 102 ms ] threadhttps://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150cc...
Uninitialized "result" variable? Any time the code hits one of those "cleanup" gotos, it's probably returning nonzero unexpectedly?
Later: @filcab on Twitter points out the much dumber issue, which is that if issuer_version is < 0, the function returns issuer_version and not zero. Ow.
(Who uses GnuTLS?)
tl;dr: A conjunction of two old licenses, resulting in the advertising requirement that "every occurrence of the license with a different name required a separate acknowledgment", which is incompatible to GNU GPL.
"However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable."
According to this https://en.wikipedia.org/wiki/GnuTLS
Apache httpd (configurable), GNOME, wireshark
I had forgotten about libcurl3-gnutls. There are a lot of things that depend on the libcurl3-gnutls, that list is long and distinguished. But I feel a little icky listing things without actually verifying they are affected. Just because they depend on the libs does not mean they use the bad code in the lib.
If you want to see what depends on libgnutls26 or libcurl3-gnutls in debian:
The --installed filter selects only those things that you have installed that depend on X: Scoreboard:A similar thing happened around 20 years ago, with a program called RIPEM. RIPEM was an implementation of S/MIME. It was distributed in source form, and to build it you needed two libraries (well, you probably needed more than two, but only two are relevant for this discussion).
1. You needed a library that implemented RSA cryptographic algorithms. RIPEM used the RSAREF library for this. RSAREF was a library distributed by RSA (the company) that was free to use, but was not free software. I believe that a copy of RSAREF was distributed with RIPEM, although I don't recall for sure.
2. You needed an arbitrary precision integer arithmetic library. No such library was included with RIPEM. You were expected to supply your own (or build RIPEM on a system that included one as part of the system).
The two most common arbitrary precision integer arithmetic libraries on Unix and Unix-like systems at the time were the Berkeley MP library and GNU MP. I'll call these BMP and GMP.
RIPEM could be compiled to work with with BMP or GMP. There were #ifdef statements in the code that selected the appropriate code for the library you wanted to compile for.
RSAREF was not under a GPL compatible license, so if you built a binary of RIPEM linked with GMP, you ended up with a binary that you could not distribute. RIPEM, however, was distributed in source form, not binary form, and did not include GMP in the distribution.
RMS, and someone else from the FSF, objected and told the RIPEM people that they were violating GPL. Their argument was that when you ship source code that uses an interface provided by GMP (even if that is only on option), some people will download GMP in order to build the program, and so your distribution of your source has induced the distribution of GPLed code. That induced distribution, they believe, made your source subject to GPL [1].
What finally happened was that to put an end to this nonsense the RIPEM people wrote a new arbitrary precision integer arithmetic library that had the same interface as GMP but was actually just a wrapper for BMP. That satisfied RMS/FSF, since now there was a non-GPL implementation of the GMP interface, and so now those who downloaded the RIPEM source and built with the "use GMP" option could be linking with either GMP or the new library, so this no longer counted as an induced GMP distribution.
[1] It is actually possible for one party to be liable for the copyright infringement of another party, and so if that infringement involved GPL code, then the first party could be subject to GPL. There are a couple ways this can happen.
One way is called "induced infringement", which happens when a party that is under your control infringes under your direction. This would not apply here because there is not a sufficient control relationship.
The other way is called "contributory infringement", and happens when one party helps another party infringe. This would not apply here because in order for party A to be a contributory infringer to party B's infringement, there has to be a direct infringement by party B. Since it does NOT violate the GPL for me to download GPL code and link it with non-GPL code to produce a binary that I run on my computer (it only becomes a violation if I distribute that binary to others), nothing you do to aid me in this can be contributory infringement.
People who want IPv6, DTLS, decent cli tools (gnutls-cli), pkcs11.
https://lwn.net/Articles/486369/
https://twitter.com/kaepora/status/440687403012227073
IMO, C is no longer suitable as a systems programming language. It has stopped being that a long time ago, and its only value is ABI stability. (COM and similar technologies work with C++ and other languages, so C is unnecessary even for that purpose.)
These are genuine questions, it would be great to hear your answers about these things :)
Same underlying machine model => same mitigation techniques apply as in C.
> surface area of the C++ runtime itself
No RTTI and no exceptions => no runtime. (By "runtime" I mean code necessary to support language features, not the C++ standard library. E.g., without RTTI and exceptions C++ is as suitable for building an OS as C is.)
Still, RTTI and exceptions are table-driven and I'd worry about their integrity if somebody manages to change the RTII and exception tables embedded in the executable. Largely prevented by signing executables. (Oh, the irony :-))
> How do you find auditors for C++ code [..cut]
More than half of the standard text is dedicated to standard library. I've heard it been said (I've not checked myself) that the description of the core language is only slightly longer than that of Java or C#.
But standard size is not that relevant. Reasonable C++ code is easy to write (for an experienced developer), easy to understand, and auditors can always "fail" the code if they don't know what's going on.
Auditing is expensive, so you have a lot of incentives to write reasonable code from the start.
Here is a comment which links to a talk in which Herb Sutter says it:
https://news.ycombinator.com/item?id=7094239
Neither is C++. People writing new systems level code should seriously consider safer languages. ATS, Rust, Mercury, OCaml, SML, and many others.
That said I'd hope that systems like ATS, Mercury, MLTon and OCaml being open source make it easier to contribute to the implementation for issues that come up and this would offset any 'not enough real world' problems that they have. If you don't like those languages, pick another (eg. Haskell).
[1] http://en.wikipedia.org/wiki/Prince_XML
[2] http://www.missioncriticalit.com/technology.html
[3] http://mmpool.bitparking.com/pool
[4] https://blogs.janestreet.com/category/ocaml/
[5] http://mlton.org/Users
[6] https://blog.mozilla.org/blog/2013/04/03/mozilla-and-samsung...
Maybe C++ is better suited, maybe it isn't. I don't care. It's not the problem here.
The problem is poor test coverage and code auditing. You could rewrite it in prolog for all I care, it doesn't address this core issue. Don't miss the forest for the trees.
This is a straw-man. A bug in the destructor would lead to resource leaks and to eventual program failure. "Slightly" different from a complete and silent failure to perform a critical security task.
> Bugs happen, in any language.
Another straw-man. Some languages are more conducive to certain types of bugs. See PHP for example.
> You could rewrite it in prolog for all I care, it doesn't address this core issue.
The core issue is bad software engineering. If you look at the code more closely, it doesn't even use a consistent convention for signaling failure. The code looks something like
and at 'fail' label you find `ret = 0` followed by freeing resources and returning ret to the caller.The bug wouldn't be there either if they just settled on using the POSIX convention of negative return value meaning failure. But no.., they have to translate it to a pseudo-boolean stored in an int.
Maybe it would make it harder to introduce this kind of bug (after all, goto error handling could be considered a hack because C lacks proper exceptions) but no language is bug-proof by design. If you're writing security-sensitive code you should have complete code coverage with tests. If you have that you could implement the library in assembly for all I care.
I'm not attempting to bash C++, it's a language I use from time to time. And I agree that RAII is a convenient patter that I often yearn for in C. It's just that in my opinion in this case (and in the "goto fail" bug of late) that's not the core of the issue.
Good on them for looking for similar errors in their own code. Thanks Redhat, for the audit, and for making the internet safer!
This is a win for Free software (and OSS), since the history of the bug can be traced, and outside developers can audit it. We still don't know how the bug got in there with the Apple bug - since the repository is not open.
GNUTLS has a (using your words) "similar" bug in the wild for more than 13 YEARS, and its nothing but praise because "they audited the code"?
Edit: See https://www.gitorious.org/gnutls/gnutls/blame/6aa26f78150ccb...
"GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. It is aimed to be portable and efficient with focus on security and interoperability."
from : http://www.gnutls.org/
The "goto fail" pattern seems pretty common though - I was wondering what it had in its favour apart from being a easier to type (which would also be true of "not checking for errors" for example).
Like any other design pattern (C or otherwise) it's easy to misuse or abuse and it's not suited to every combination of library usage.