Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

New submitter williamyf writes "According to this article at Ars Technica, '[A] bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.' The coding error may have been present since 2005."

We all knew it was coming...

[neiras]

From February 16 2008: Howard Chu of OpenLDAP: GnuTLS Considered Harmful

Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

Incredible that GnuTLS is used anywhere at all. It's just mind boggling.

Re:We all knew it was coming...

[sk999]

Just downloaded the latest patched source code. Here's the summary:

find . -name '*.c' | xargs grep strlen | wc -l
522

find . -name '*.c' | xargs grep strcat | wc -l
44

Just as flawed as ever.

Re:AHAHAHAHAH

[bonch]

The bug was found due to observed behavior, not due to a code review.

Incompatible license

[tepples]

The OpenSSL license is not compatible with the GNU General Public License.