Arch Linux: ASA-201511-12 Medium: OpenSSL Heap Overflow Threat

The package gnutls before version 3.3.10-1 is vulnerable to out-of-bounds memory write resulting in denial of service or possibly code execution.

Arch Linux Security Advisory ASA-201411-10
=========================================
Severity: Medium
Date    : 2014-11-12
CVE-ID  : CVE-2014-8564
Package : gnutls
Type    : out-of-bounds memory write
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package gnutls before version 3.3.10-1 is vulnerable to
out-of-bounds memory write resulting in denial of service or possibly
code execution.

Resolution
=========
Upgrade to 3.3.10-1.

# pacman -Syu "gnutls>=3.3.10-1"

The problems have been fixed upstream [0] in version 3.3.10.

Workaround
=========
None.

Description
==========
An out-of-bounds memory write flaw was found in the way GnuTLS parsed
certain ECC (Elliptic Curve Cryptography) certificates or certificate
signing requests (CSR) resulting in heap corruption.

Impact
=====
A malicious user could create a specially crafted ECC certificate or a
certificate signing request that, when processed by an application
compiled against GnuTLS (for example, certtool), could cause that
application to crash or execute arbitrary code with the permissions of
the user running the application.

References
=========
[0] https://www.cve.org/CVERecord?id=CVE-2014-8564
http://www.gnutls.org/security.html#GNUTLS-SA-2014-5
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8564