Linux bug exposes open source to its own 'goto fail'

Bug in widely used open source GnuTLS encryption library can expose encrypted data with specially crafted certificate

The GnuTLS library, used in a great deal of software, including many Linux distributions, has been revealed to have a bug that could allow an attacker to steal data by way of a certificate designed to exploit the bug, Ars Technica has reported.

Officially known as CVE-2014-0092, the bug in question involves GnuTLS's validation of X509 certificates. According to Red Hat, which has since issued a security advisory for all its Red Hat Enterprise Linux customers, "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."

In an unpleasant echo of Apple's recent iOS and OS X flaw (dubbed "goto fail" by the IT community), the bug took advantage of certain error handling checks in the code that were terminated too early to be effective. How the error was introduced into the code was not immediately clear.

Red Hat and the maintainers of GnuTLS have urged its users to upgrade to the most recent version of GnuTLS, 3.2.12, by way of an available fix for Red Hat Enterprise Linux. A patch is also available for those using the earlier GnuTLS 2.12.x version.

The range of Linux distributions and Linux-based software that use GnuTLS in some form is quite wide. Debian and Ubuntu also employ it, and other software components of Linux -- such as Ubuntu's apt-get package manager -- rely on it and could be susceptible in their own ways to attacks staged with compromised certificates.

This story, "Linux bug exposes open source to its own 'goto fail'," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies