CVE-2008-1950

Upstream information

CVE-2008-1950 at MITRE

Description

Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.

---

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector	Network
Access Complexity	Low
Authentication	None
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	Partial

SUSE Bugzilla entries: 392947 [RESOLVED / FIXED], 670152 [RESOLVED / DUPLICATE]

SUSE Security Advisories:

• SUSE-SA:2008:046, published Wed, 17 Sep 2008 14:00:00 +0000

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Server 11 SP1	gnutls >= 2.4.1-24.19.1 libgnutls26 >= 2.4.1-24.19.1 libgnutls26-32bit >= 2.4.1-24.19.1 libgnutls26-x86 >= 2.4.1-24.19.1
SUSE Linux Enterprise Server 11 SP2	gnutls >= 2.4.1-24.39.33.1 libgnutls26 >= 2.4.1-24.39.33.1 libgnutls26-32bit >= 2.4.1-24.39.33.1 libgnutls26-x86 >= 2.4.1-24.39.33.1
SUSE Linux Enterprise Server 11 SP3	gnutls >= 2.4.1-24.39.45.1 libgnutls-extra26 >= 2.4.1-24.39.45.1 libgnutls26 >= 2.4.1-24.39.45.1 libgnutls26-32bit >= 2.4.1-24.39.45.1 libgnutls26-x86 >= 2.4.1-24.39.45.1
SUSE Linux Enterprise Server 11 SP4	gnutls >= 2.4.1-24.39.55.1 libgnutls-extra26 >= 2.4.1-24.39.55.1 libgnutls26 >= 2.4.1-24.39.55.1 libgnutls26-32bit >= 2.4.1-24.39.55.1 libgnutls26-x86 >= 2.4.1-24.39.55.1
SUSE Linux Enterprise Software Development Kit 11 SP4	libgnutls-devel >= 2.4.1-24.39.55.1 libgnutls-extra-devel >= 2.4.1-24.39.55.1 libgnutls-extra26 >= 2.4.1-24.39.55.1