FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

GnuTLS -- double free, invalid pointer access

Affected packages
		gnutls	<	3.6.7

Details

VuXML ID	fb30db8f-62af-11e9-b0de-001cc0382b2f
Discovery	2019-03-27
Entry	2019-04-19

The GnuTLS project reports:

Tavis Ormandy from Google Project Zero found a memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

It was found using the TLS fuzzer tools that decoding a malformed TLS1.3 asynchronous message can cause a server crash via an invalid pointer access. The issue affects GnuTLS server applications since 3.6.4.

[source]

References

CVE Name	CVE-2019-3829
CVE Name	CVE-2019-3836
URL	https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27