Announcement

**vinnywright** · Mar 04, 2014, 06:27 PM

Code:

vinny@vinny-HP-G62:~$ apt-cache whatdepends gnutls
E: Invalid operation whatdepends
vinny@vinny-HP-G62:~$

VINNY

**Feathers McGraw** · Mar 04, 2014, 06:29 PM

Ha!

Please try this:

Code:

apt-cache whatdepends pkg gnutls

Feathers

**vinnywright** · Mar 04, 2014, 06:30 PM

Code:

vinny@vinny-HP-G62:~$ apt-cache rdepends gnutls
E: No packages found
vinny@vinny-HP-G62:~$

VINNY

**vinnywright** · Mar 04, 2014, 06:31 PM

Code:

vinny@vinny-HP-G62:~$ apt-cache whatdepends pkg gnutls
E: Invalid operation whatdepends
vinny@vinny-HP-G62:~$

VINNY

**Feathers McGraw** · Mar 04, 2014, 06:33 PM

Not sure if that's an error or just a good sign tbh!

Is gnutls even in the repos? Perhaps the package is called something else...

Code:

apt-cache search gnutls

**vinnywright** · Mar 04, 2014, 06:37 PM

however

Code:

vinny@vinny-HP-G62:~$ apt-cache rdepends libgnutls26
libgnutls26
Reverse Depends:
  libavformat53
  wine-compholio
  wine-compholio
  xen-utils-4.1
  vlc-nox
  rsyslog-gnutls
  python-gnutls
  libavformat-extra-53
  chromium-browser
  vino
  telepathy-gabble
  qemu-kvm
  lynx-cur
  libvirt0
  libvirt-bin
  libimobiledevice3
  libgnutlsxx27
  libgnutls26-dbg
  libgnutls-openssl27
  libgnutls-dev
  libgcrypt11
  libgadu3                                                                                                                                                                                      
  libcurl3-gnutls                                                                                                                                                                               
  libcups2                                                                                                                                                                                      
  libavformat53                                                                                                                                                                                 
  gnutls-bin                                                                                                                                                                                    
  exim4-daemon-light                                                                                                                                                                            
  exim4-daemon-heavy
  cups
  xxxterm
  xfce4-mailwatch-plugin
  xen-utils-4.1
  wzdftpd
  wmbiff
  wine1.4-i386
  weechat-curses
  weechat-core
  webfs
  vpnc
  vlc-nox
  sogo
  shishi-kdc
  scrollz
  rsyslog-gnutls
  qutim
  qemu-system
  python-gnutls
  proxytunnel
  prelude-manager
  postal
  plasma-widget-mail
  pianobar
  pacemaker-mgmt-client
  pacemaker-mgmt
  openconnect
  nzbget
  nullmailer
  ngircd
  newsbeuter
  mutt-patched
  msmtp-gnome
  msmtp
  mpop-gnome
  mpop
  minbif
  mandos-client
  libyaz4
  libxmlsec1-gnutls
  libwireshark2
  libvmime0
  libucommon5
  libsope1
  libshishi0
  libprelude2
  libopenvasnasl2-dev
  libopenvasnasl2
  libopenvas2
  libopenconnect2
  libnussl1
  libnet6-1.3-0
  libmicrohttpd10
  libmailutils4
  libloudmouth1-0
  libinfinity-0.5-0
  libinfgtk3-0.5-0
  libiksemel3
  libgwenhywfar60
  libgnustep-base1.22
  libgloox8
  libggz2
  libgensec0
  libevd-0.1-0
  libetpan15
  libepc-1.0-3
  libeet1
  libecore-con1
  libavformat-extra-53
  libapache2-mod-gnutls
  kildclient
  jd
  ircd-ratbox
  inspircd
  infinoted
  gurlchecker
  gtk-gnutella
  gsasl
  gnu-smalltalk
  gnomint
  gkrellm
  freewheeling
  freetds-bin
  filezilla
  emacs24-lucid
  elinks-lite
  elinks
  ekg2-remote
  ekg2-jabber
  echoping
  csync2
  claws-mail
  charybdis
  centerim-utf8
  centerim-fribidi
  centerim
  bitlbee-libpurple
  bitlbee
  aria2
  anubis
  aiccu
  abiword
  vino
  telepathy-salut
  telepathy-gabble
  tdsodbc
  qemu-kvm
  pacemaker
  ntfs-3g
  mutt
  lynx-cur
  libvncserver0
  libvirt0
  libvirt-bin
  libsybdb5
  librtmp0
  libneon27-gnutls
  libldap-2.4-2
  libimobiledevice3
  libgvnc-1.0-0
  libgnutlsxx27
  libgnutls26-dbg
  libgnutls-openssl27
  libgnutls-dev
  libgnomevfs2-0
  libgcrypt11
  libgadu3
  libcurl3-gnutls
  libcups2
  libct4
  libcrmcommon2
  libcib1
  libavformat53
  lftp
  gnutls-bin
  glib-networking
  exim4-daemon-light
  exim4-daemon-heavy
  empathy
  emacs24-nox
  emacs24
  cups
vinny@vinny-HP-G62:~$

VINNY

**vinnywright** · Mar 04, 2014, 06:39 PM

and

Code:

vinny@vinny-HP-G62:~$ apt-cache search gnutls
gnutls-bin - GNU TLS library - commandline utilities
gnutls-doc - GNU TLS library - documentation and examples
libcurl3-dbg - debugging symbols for libcurl (OpenSSL, GnuTLS and NSS flavours)
libcurl3-gnutls - easy-to-use client-side URL transfer library (GnuTLS flavour)
libcurl4-gnutls-dev - development files and documentation for libcurl (GnuTLS flavour)
libgnutls-dev - GNU TLS library - development files
libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
libgnutls26 - GNU TLS library - runtime library
libgnutls26-dbg - GNU TLS library - debugger symbols
libgnutlsxx27 - GNU TLS library - C++ runtime library
libneon27-gnutls - HTTP and WebDAV client library (GnuTLS enabled)
libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS enabled)
libsoup-gnome2.4-1 - HTTP library implementation in C -- GNOME support library
libsoup-gnome2.4-dev - HTTP library implementation in C -- GNOME support development files
libsoup2.4-1 - HTTP library implementation in C -- Shared library
libsoup2.4-dbg - HTTP library implementation in C -- debugging symbols
libsoup2.4-dev - HTTP library implementation in C -- Development files
libsoup2.4-doc - HTTP library implementation in C -- API Reference
python-pycurl - Python bindings to libcurl
python-pycurl-dbg - Python bindings to libcurl (debug extension)
python3-pycurl - Python 3 bindings to libcurl
python3-pycurl-dbg - Python 3 bindings to libcurl (debug extension)
cadaver - command-line WebDAV client
dsyslog-module-gnutls - advanced modular syslog daemon - GnuTLS support
guile-gnutls - GNU TLS library - GNU Guile bindings
libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS
libapr-memcache-dev - memcache client library development files
libapr-memcache0 - memcache client library
libghc-gnutls-dev - bindings for GNU TLS
libghc-gnutls-doc - bindings for GNU TLS; documentation
libghc-gnutls-prof - bindings for GNU TLS; profiling libraries
libgnutls28 - GNU TLS library - main runtime library
libgnutls28-dbg - GNU TLS library - debugger symbols
libgnutls28-dev - GNU TLS library - development files
libgnutlsxx28 - GNU TLS library - C++ runtime library
libjs-strophe - Library for writing XMPP clients
libwww-curl-perl - Perl bindings to libcurl
libxmlsec1-gnutls - Gnutls engine for the XML security library
mailutils-imap4d - GNU mailutils-based IMAP4 Daemon
mailutils-pop3d - GNU mailutils-based POP3 Daemon
mcrypt - Replacement for old unix crypt(1)
python-gnutls - Python wrapper for the GNUTLS library
rsyslog-gnutls - TLS protocol support for rsyslog
tclcurl - Tcl bindings to libcurl
vinny@vinny-HP-G62:~$

VINNY

**GreyGeek** · Mar 04, 2014, 06:42 PM

Try

apt-cache depends libgnutls28

apt-cache depends libgnutls26

and also use the "rdepends" switch.

**vinnywright** · Mar 04, 2014, 06:47 PM

Originally posted by GreyGeek View Post

Try

apt-cache depends libgnutls28

apt-cache depends libgnutls26

and also use the "rdepends" switch.

read down ,,,,,,did it

VINNY

**ronw** · Mar 04, 2014, 08:16 PM

From a regular update today on 13.10:

Code:

Tue, Mar  4 2014 15:55:44 -0500

IMPORTANT: this log only lists intended actions; actions which fail due to
dpkg problems may not be completed.

Will install 2 packages, and remove 0 packages.
===============================================================================
[UPGRADE] libgnutls-openssl27:amd64 2.12.23-1ubuntu4.1 -> 2.12.23-1ubuntu4.2
[UPGRADE] libgnutls26:amd64 2.12.23-1ubuntu4.1 -> 2.12.23-1ubuntu4.2
===============================================================================

**Feathers McGraw** · Mar 04, 2014, 08:18 PM

Owch... chromium is affected!

**Feathers McGraw** · Mar 04, 2014, 09:16 PM

Thanks for that ronw!

There's a quotation from Howard Chu of open LDAP 6 years ago that was discussed in the /. comments, which was quite interesting:

http://www.openldap.org/lists/openld.../msg00072.html

Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

Someone checked against the most recent, patched, GnuTLS source code:

Code:

 find . -name '*.c' | xargs grep strlen | wc -l
522

find . -name '*.c' | xargs grep strcat | wc -l
44

Bit over my head but that suggests that if it was a problem then it's still a problem now.

**GreyGeek** · Mar 05, 2014, 11:06 AM

Ah, so you did. My apologies.

(Believe it or not, your two searches at 6:39 were not in the msg list when I read this thread and responded at 6:42)

Anyway, here's the skinny, which the pissing contest on /. and ARS didn't reveal.
http://www.gnutls.org/security.html
It wasn't found in the wild, or by someone noticing a break-in.

The vulnerability was discovered during an audit of GnuTLS for Red Hat.

The audit was easy to do because the source code was open to all. That someone didn't notice it before, during the last 10 years, suggests that the bug is an edge case which isn't easily noticed.

How to mitigate the attack?

Upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x.

Kubuntu 14.04 with the latest updates, as of 11AM CST, is running the 3.2.11-2ubuntu1 version, so an update is needed. I have no doubt that the update will come flying through to the repository and an automatic update ASAP.

Announcement

GnuTLS vulnerability

GnuTLS vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment