[v3.0] gnutls: use-after-free flaw (CVE-2015-3308)
A use-after-free flaw was found in the way GnuTLS parsed CRL distribution points. A specially crafted certificate could cause an application using GnuTLS to crash.
The affected function, gnutls_x509_ext_import_crl_dist_points(), was introduced in GnuTLS version 3.3.0. Fixed in 3.3.14.
References:
http://seclists.org/oss-sec/2015/q2/174
CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1212459
CONFIRM:
https://gitlab.com/gnutls/gnutls/commit/d6972be33264ecc49a86cd0958209cd7363af1e9
CONFIRM:
https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02
(from redmine: issue id 4200, created on 2015-05-18, closed on 2015-05-22)
- Relations:
- parent #4199 (closed)
- Changesets:
- Revision b4c84da4 by Natanael Copa on 2015-05-19T14:53:45Z:
main/gnutls: security upgrade to 3.3.14 (CVE-2015-3308)
fixes #4200