CVE-2008-1950 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2008-1950

CVE-2008-1950

May 21, 2008

Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.

Related Resources (40)

http://www.ubuntu.com/usn/usn-613-1

http://www.openwall.com/lists/oss-security/2008/05/20/2

http://www.securitytracker.com/id?1020059

http://www.openwall.com/lists/oss-security/2008/05/20/1

http://www.cert.fi/haavoittuvuudet/advisory-gnutls.html

http://secunia.com/advisories/30330

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0174

https://issues.rpath.com/browse/RPL-2552

http://www.mandriva.com/security/advisories?name=MDVSA-2008:106

http://www.redhat.com/support/errata/RHSA-2008-0492.html

https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00615.html

http://sourceforge.net/project/shownotes.php?release_id=600646&group_id=21558

http://secunia.com/advisories/30355

http://securityreason.com/securityalert/3902

http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00003.html

https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00590.html

http://secunia.com/advisories/30287

http://www.securityfocus.com/bid/29292

http://secunia.com/advisories/30317

http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00060.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/42533

http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00055.html

http://www.redhat.com/support/errata/RHSA-2008-0489.html

http://security.gentoo.org/glsa/glsa-200805-20.xml

https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00487.html

http://lists.gnu.org/archive/html/gnutls-devel/2008-05/msg00051.html

http://www.securityfocus.com/archive/1/492282/100/0/threaded

http://www.vupen.com/english/advisories/2008/1583/references

http://secunia.com/advisories/30331

http://secunia.com/advisories/30302

http://www.vupen.com/english/advisories/2008/1582/references

http://git.savannah.gnu.org/gitweb/?p=gnutls.git%3Ba=commitdiff%3Bh=bc8102405fda11ea00ca3b42acc4f4bce9d6e97b

http://secunia.com/advisories/30338

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11393

http://www.securityfocus.com/archive/1/492464/100/0/threaded

http://www.openwall.com/lists/oss-security/2008/05/20/3

http://www.kb.cert.org/vuls/id/659209

http://secunia.com/advisories/31939

http://secunia.com/advisories/30324

http://www.debian.org/security/2008/dsa-1581

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

CVSS v2

Base Score:

5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

EPSS

Base Score:

8.24