Oh hell.
Is this the *same* bug that just broke in Apple code last week?
Cheers,
-- jra
Oh hell.
Is this the *same* bug that just broke in Apple code last week?
I'd be surprised if Apple used GnuTLS, on licencing grounds...
> widely used cryptographic code library. The bug in the GnuTLS library
On the other hand, the DSA does sound *awfully* familiar:
[SECURITY] [DSA 2869-1] gnutls26 security update
Looking at the patch included in the sid version referenced in that DSA
(also available at
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b),
the general class of logic error involved is somewhat similar to the Apple
case. Thankfully, we can see the full revision history of GnuTLS, and it
looks like Nikos both fixed the bug *and* introduced it (at least, the 'goto
cleanup' tests were introduced in 0fba2d90, way back in October 2003 -- it
may have been safe then and someone else mucked up the cleanup code to break
it; I haven't looked that deeply).
Fun times indeed. "Once is happenstance, twice is coincidence..."
- Matt
Where can you see that "the 'goto
cleanup' tests were introduced in 0fba2d90, way back in October 2003" ?
*María García*
No, the Apple bug was the existence of an /extra/ "goto fail;".
The GnuTLS bug was that it was /missing/ a "goto fail;".
I'm figuring the same developer worked on both, and just put the line in the wrong repository. 
And yes, while this is a joke, Apple fixed their bug by removing a "goto fail;", and GnuTLS fixed theirs by adding a "goto fail;". I can't make up something that funny.
https://www.imperialviolet.org/2014/02/22/applebug.html
http://blog.existentialize.com/the-story-of-the-gnutls-bug.html
Those who speculate that these bugs happened at the behest of the NSA
would probably agree with you.
Cheers,
-- jra
Doing some serious adjusting of my tinfoil today over his
-jim
Been spending most of the day scrubbing away that vuln in my facility
here.... now here's the fun part: imagine just how many embedded devices
(most of which get orphaned from a software maintenance perspective the
moment they hit the store shelves) are gonna have this flaw. There's been
the discussion of crappy home broadband CPE...
Only a matter of time before someone fakes the certificate and breaks a
"trusted" software update method, or heck... a dns explot + fake
certificate = several million compromised payment card terminals.
And for the few who don't recall the last stanza -- and this is looking
less and less by the month like it requires an aluminium foil fedora to
buy as a justification:
"Three times is enemy action."
Cheers,
-- jra
In the git repo I linked to in my previous e-mail.
- Matt
I can't see the date... 