983471 – (CVE-2016-4456) VUL-0: CVE-2016-4456: gnutls: environment variable evaluated during setuid root mode

Bug 983471 (CVE-2016-4456) - VUL-0: CVE-2016-4456: gnutls: environment variable evaluated during setuid root mode

Summary: VUL-0: CVE-2016-4456: gnutls: environment variable evaluated during setuid ro...

Status:	RESOLVED UPSTREAM

Alias:	CVE-2016-4456

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Vítězslav Čížek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169839/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-07 10:52 UTC by Marcus Meissner
Modified:	2016-06-07 10:52 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-07 10:52:11 UTC

CVE-2016-4456


http://gnutls.org/security.html#GNUTLS-SA-2016-1

Setuid programs using GnuTLS 3.4.12 could potentially allow an attacker to overwrite and corrupt arbitrary files in the filesystem. This issue was introduced in GnuTLS 3.4.12 and fixed in GnuTLS 3.4.13. Recommendation: Upgrade to GnuTLS 3.4.13, or later versions.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4456

Comment 1 Marcus Meissner 2016-06-07 10:52:39 UTC

we nowhere have 3.4.12 , factory was 3.4.11 and was updated to 3.4.13