CVE-2017-5337

Published: 11 January 2017

Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
gnutls26
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.12.23-12ubuntu2.6)
gnutls28
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.5.6-4ubuntu3)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (3.4.10-4ubuntu1.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a
Upstream: https://gitlab.com/gnutls/gnutls/commit/6231a4a087f9fdbd5f5f274e80c7a71e3e45b9c8 (3.3)

Notes

AuthorNote
mdeslaur
reproducer https://gitlab.com/gnutls/gnutls/commit/d949c6266ce64f5c2419f8c7cf4a196122fff9d7
https://gitlab.com/gnutls/gnutls/commit/e08b66b7cb4bc3f7ad56d081f0357ec1d39aa4ec

References