Arch Linux Security Advisory ASA-201411-10 ========================================== Severity: Medium Date : 2014-11-12 CVE-ID : CVE-2014-8564 Package : gnutls Type : out-of-bounds memory write Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package gnutls before version 3.3.10-1 is vulnerable to out-of-bounds memory write resulting in denial of service or possibly code execution. Resolution ========== Upgrade to 3.3.10-1. # pacman -Syu "gnutls>=3.3.10-1" The problems have been fixed upstream [0] in version 3.3.10. Workaround ========== None. Description =========== An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR) resulting in heap corruption. Impact ====== A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application. References ========== [0] https://gitorious.org/gnutls/gnutls/commit/e821e19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564 http://www.gnutls.org/security.html#GNUTLS-SA-2014-5 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8564