Slashdot Mirror

← Back to Stories (view on slashdot.org)

GnuTLS Flaw Leaves Many Linux Users Open To Attacks

Posted by Soulskill on from the with-many-eyes-all-maintainers-are-grumpy dept.

A new flaw has been discovered in the GnuTLS cryptographic library that ships with several popular Linux distributions and hundreds of software implementations. According to the bug report, "A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code." A patch is currently available, but it will take time for all of the software maintainers to implement it. A lengthy technical analysis is available. "There don't appear to be any obvious signs that an attack is under way, making it possible to exploit the vulnerability in surreptitious "drive-by" attacks. There are no reports that the vulnerability is actively being exploited in the wild."

5 of 127 comments (clear)

  1. Basic programming principles what? by maugle · · Score: 5, Insightful

    I don't understand what the programmers of all these crypto libraries were thinking here. Even for the most basic and unimportant program, the rule is "if the data comes from outside, verify!" This is vastly more important when cryptography is involved, so why is it that all these crypto libraries seem to blindly trust whatever the Internet is sending them?!

    1. Re:Basic programming principles what? by QuietLagoon · · Score: 4, Insightful

      I don't understand what the programmers of all these crypto libraries were thinking here. Even for the most basic and unimportant program, the rule is "if the data comes from outside, verify!" This is vastly more important when cryptography is involved, so why is it that all these crypto libraries seem to blindly trust whatever the Internet is sending them?!

      From what I read of the OpenSSL source code, it would be an insult to programmers everywhere to call the people who barfed up the OpenSSL code "programmers".

  2. announcing goatsecret by larry+bagina · · Score: 4, Funny

    There have been too many problems with existing crypto code so I've developed something better: goatsecret. Instead of relying on math, it relies on a frenchman's gaping asshole. Basically, the software breaks your message/file/whatever into small chunks and superimposes the data in the goatsecret image. Sure, it's not encrypted, but who is going to stare into the void just to get your data? No hacker/cracker/big business/three-letter-agency is that desperate.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  3. Re:Who uses GnuTLS? by Anonymous Coward · · Score: 4, Informative

    "apt-cache showpkg libgnutls26" says that mutt, claws-mail, empathy, emacs, telepathy, wine, and some qemu stuff uses it.

    So it is not completely unused.

  4. Re:"malicious server" by kthreadd · · Score: 4, Insightful

    Wget can be built for either OpenSSL or GnuTLS.