[arch-security] [Arch Linux Security Advisory ASA-201411-10] gnutls: out-of-bounds memory write
anthraxx at archlinux.org
Wed Nov 12 23:45:10 UTC 2014
Arch Linux Security Advisory ASA-201411-10
Date : 2014-11-12
CVE-ID : CVE-2014-8564
Package : gnutls
Type : out-of-bounds memory write
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package gnutls before version 3.3.10-1 is vulnerable to
out-of-bounds memory write resulting in denial of service or possibly
Upgrade to 3.3.10-1.
# pacman -Syu "gnutls>=3.3.10-1"
The problems have been fixed upstream  in version 3.3.10.
An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR) resulting in heap corruption.
A malicious user could create a specially crafted ECC certificate or a
certificate signing request that, when processed by an application
compiled against GnuTLS (for example, certtool), could cause that
application to crash or execute arbitrary code with the permissions of
the user running the application.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security