Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

← Back to Stories (view on slashdot.org)

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

Posted by timothy on Sunday April 6, 2014 @01:25AM from the holes-to-plug dept.

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

27 of 144 comments (clear)

Min score:

Reason:

Sort:

It's time by Ol+Olsoc · 2014-04-06 01:29 · Score: 5, Funny

This if nothing else, should show everyone it's time to switch to Windows, the OS immune to exploits.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Old news by David+Jao · 2014-04-06 01:30 · Score: 5, Insightful

This is quite old news, why is slashdot only picking up on it now?
The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.
1. Re:Old news by ganjadude · 2014-04-06 01:47 · Score: 4, Funny
  
  its a timmy post...
  
  "Linux" refers to a broad range of systems and vendors, rather than a single company,
  really? this is /. timmy, get with the program, everyone knows this because THIS YEAR will be the year of linux on the desktop
  
  --
  have you seen my sig? there are many others like it but none that are the same
2. Re:Old news by swillden · 2014-04-06 01:47 · Score: 5, Informative
  
  This is quite old news, why is slashdot only picking up on it now?
  Slashdot picked it up on March 4th, actually. This is a dupe.
  
  The impact of this bug does not compare to the goto fail bug.
  Agreed.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
3. Re:Old news by Sipper · 2014-04-06 02:04 · Score: 2
  
  Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.
  Another (non-issue) example is MTA (email) transfers; typically on Linux systems MTAs such as Exim use GnuTLS for TLS transfers, but purposely don't do certificate verification (but can be specifically configured to do so).
  This is still a serious security issue for anything that does use GnuTLS for certificate verification of course, but off the top of my head I don't have a specific example of where this is done on the Linux platform. [There probably is an example to be found somewhere though.]
4. Re:Old news by c4t3l · 2014-04-06 02:12 · Score: 2
  
  What is even funnier is that "one of the biggest names in the Linux world, "RedHat"" fixed the damn bug the day before the original article was published... Nice try idiots (read Ars Technica)...
5. Re:Old news by hydrofix · 2014-04-06 04:49 · Score: 2
  
  This is quite old news, why is slashdot only picking up on it now?
  Slashdot did pick it up earlier already when it was first announced. So it's a dupe, really.
6. Re:Old news by BasilBrush · 2014-04-06 06:04 · Score: 2, Funny
  
  "The GNU crap". :-)
  It's amazing how quite the FOSS community will throw Stallman under the bus, if the alternative is accepting parity with Apple's security bug.
7. Re:Old news by dgatwood · 2014-04-06 15:14 · Score: 2
  
  You missed one major technical rule: all browsers on iOS that support local rendering are required to use the system rendering engine.
  Actually, no, I'm pretty sure they're just not allowed to use any JavaScript engine other than the built-in JavaScriptCore. And as of iOS 7, it's theoretically possible to actually do so without using WebKit.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Slow weekend over at Ars? by Zontar+The+Mindless · 2014-04-06 01:31 · Score: 4, Informative

My distro patched this over a month ago.

--
Il n'y a pas de Planet B.
There are rumours... by gnasher719 · 2014-04-06 01:32 · Score: 3, Interesting

that Apple took notice of some accusations that the NSA managed to modiy some open source codebases, reviewed all code that was checked in at about the suspicious time frame, and found the "goto fail" bug that way. No idea whether this is true, but I'd be curious who checked in this bug.
1. Re:There are rumours... by Megol · 2014-04-06 01:40 · Score: 3, Informative
  
  There are also rumors that all the worlds leaders are reptilians.
People use GnuTLS? by aleph · 2014-04-06 01:39 · Score: 4, Insightful

Is anyone other than Debian zealous enough to use GnuTLS?
I rarely agree with Howard Chu of OpenLDAP fame, but... http://www.openldap.org/lists/...
Near Zero Impact by marienf · 2014-04-06 01:47 · Score: 4, Informative

> Most Linux distributions use OpenSSL for TLS.
> Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation,
> and if it doesn't, then it's not affected by this bug (one example is Google Chrome)
Agree. I've ran through everything that linked to gnutls on my distro (Arch) and although there's
quite a lot of binaries that do, most of those do not offer TLS connections (or any network connectivity at all), so my
guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.
Of those that I know actually capable of SSL/TLS connections, all (also) link to OpenSSL.
So without making a definitive statement, AFAICT this should have near zero impact on GNU/Linux.
What the hell is this, timothy? by Anonymous Coward · 2014-04-06 01:49 · Score: 5, Insightful

Are you trolling for an Apple-vs-Linux flame war? do you have a zealous attachment to Apple? or are you just dull?
1) This is old news, and the /. has already reported on it;
2) Hardly anything uses the GNU TLS library, and for the same reason people have been advising against Apple's rewrite of security libraries: because it's better to use something that's had over a decade of development and review and is widely deployed across a series of platforms;
3) You're arguing about the heterogeneity of the Linux platform as if it's a bad thing, while in fact this acts in Linux's favour. Even though the GNU project might like people to use gnutls, distros have chosen not to. Apple either discourages choice or makes it impossible, depending on what exactly you're targeting, which is why everything was affected.
yep, it is old news - already fixed in most Linux by mpb · 2014-04-06 01:55 · Score: 2

Fixed at the beginning of March.
Example: http://advisories.mageia.org/MGASA-2014-0117.html
"Nothing to see here. Move on."
Re:If GNUTls is unneeded, then create a NO-OP libr by Sipper · 2014-04-06 02:09 · Score: 5, Informative

Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
And maybe we would see that its not quite as in-active as people think.
There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).
As for why GnuTLS exists, AFAIK it's mainly because of licensing issues -- compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.
Re:Real question by MightyYar · 2014-04-06 02:15 · Score: 2

In my ports tree:
audio/ario
audio/pianobar
deskutils/fusenshi
deskutils/taskd
deskutils/taskwarrior
devel/gwenhywfar
devel/gwenhywfar-fox16
devel/gwenhywfar-gtk2
devel/gwenhywfar-qt4
devel/librelp
devel/libvirt
editors/abiword
editors/emacs
editors/emacs-nox11
emulators/qemu
emulators/qemu-devel
ftp/filezilla
ftp/wput
ftp/wzdftpd
games/pokerth
irc/bitlbee
irc/ctrlproxy
irc/weechat
japanese/jd
lang/gnustep-base
mail/anubis
mail/claws-mail
mail/libvmime
mail/xfce4-mailwatch-plugin
multimedia/ffmpeg
multimedia/libav
net/csync2
net/glib-networking
net/gtk-vnc
net/morebalance
net/net6
net/remmina-plugin-vnc
net/samba4
net/samba41
net/sixxs-aiccu
net/tigervnc
net/vino
net-im/gloox
net-im/jabber
net-im/loudmouth
net-p2p/gtk-gnutella
net-p2p/ncdc
news/nzbget
security/gnomint
security/gsasl
security/libprelude
security/libpreludedb
security/openvas-libnasl
security/openvas-libraries
security/openvas-plugins
security/prelude-lml
security/prelude-manager
security/py-gnutls
security/shishi
sysutils/heartbeat
textproc/iksemel
www/gurlchecker
www/hydra
www/mod_gnutls
www/wwwoffle
www/xombrero
net-im/jabber.el
editors/emacs-devel
multimedia/vlc
And some linux ports of Acrobat Reader and CUPS libraries. There is also a module for Apache.

--
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Re:And yet... by GPLHost-Thomas · 2014-04-06 02:19 · Score: 5, Informative

Please define "as quickly as desired". Debian was fixed on the 3rd of March which is the date of the Debian Security Advisory, that's pretty quick to me. I wonder exactly why this article pops up now, when it's been a long time we've been all patched.
Re:Trust No One by mark-t · 2014-04-06 02:47 · Score: 2, Interesting

The difference is that with closed source, the only exploits that are discovered by third parties and get fixed are those that have already been exploited, and already resulted in vulnerable systems.
With open source, exploits can potentially be discovered and reported by other parties *before* the exploit has actually ever been used, meaning that a fix is available at the same time that the exploit becomes public knowledge, and anyone who updates as soon as such an exploit becomes known has a higher level of confidence that their system will have not yet been compromised. The very fact that open source may also make it easier for a third party to find a way to exploit a previously unknown vulnerability also makes it easier for a third party to take action that will lead to the issue being corrected.
With open source, such critical bugs can and actually *will* be fixed, a sufficiently technically competent individual could even do so themselves, where with closed source, absolutely everyone is at the whim of the development team's schedule.

--
File under 'M' for 'Manic ranting'
Re:Trust No One by Arker · 2014-04-06 02:48 · Score: 3, Insightful

Free/Open code is a necessary but not sufficient condition for security.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Re:Ha! by rubycodez · 2014-04-06 03:06 · Score: 3, Funny

and the blue screening of classic windows provides a hard shield against any rogue processes owning the machine for too long
Re:Welcome to the New World Order by Immerman · 2014-04-06 05:54 · Score: 2

Who said anything about aliens? The reptilians are actually an earlier sentient species of Earthling, driven underground by the asteroid impact that ushered in the extinction of the dinosaurs. They're only meddling in primitive Human politics to keep us from interfering with their space program.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:And yet... by houstonbofh · 2014-04-06 07:04 · Score: 4, Insightful

For all the speed with which Debian rolled out a patch, it'll still be months or years before this patch makes it into the wild on all the systems it's being used on.
When you show me the OS that has a patch for idiot, lazy or incompetent operators, I will buy you a beer.
Re:And yet... by houstonbofh · 2014-04-06 07:05 · Score: 3, Interesting

Forget openwrt... How about all the ISP provided "Firewalls" that are total garbage, have one password, and can not be updated?
Microsoft PR Fail by darkonc · 2014-04-06 08:10 · Score: 3, Interesting

I don't mind the heads-up about a little-used piece of Gnu software (as pointed out, most distros push OpenSSL), but I do mind astro-turfing the Microsoft PR line of "Nobody's responsible if Linux fails!"
The irony, of course, is that most people haven't read Microsoft's EULA which effectively says 'Not only are we not responsible if Windows fails, but we'll sue you if you try to fix it yourself.'
This is really gonna bite the hundreds of millions running XP who will be orphaned this year when Microsoft stops supporting it. Not only do they face the prospect, in a matter of weeks, of never again seeing security updates from Microsoft, but it will be illegal to even try to fix future bugs themselves (or hire a third party to do it).
This last bit is something that Linux users have as a right

--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Re:Real question by Wootery · 2014-04-06 11:33 · Score: 4, Informative

Well, there is this one crazy project.