Security Vulnerability in RSA Signature Verification Affects GnuTLS Library Versions Prior to 1.4.4 |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 10 Operating System
|
| Bug Id : | 6473089
|
| Date of Resolved Release : | 21-JUN-2007
|
The GnuTLS library version prior to 1.4.4 is impacted by an RSA signature forgery vulnerability. This vulnerability, which affects applications which make use of the GnuTLS library to verify PKCS#1 signatures, allows a malicious user to make an altered PKCS#1 v1.5 signature appear to be correct thus forging the signature.
This issue is described in the following documents:
The issue described in this Sun Alert is specific to the GnuTLS library. Multiple Sun products are affected by this issue. For more details please see Sun Alert 102648 at:
Note: Evolution uses the GnuTLS library and is impacted by this issue.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
x86 Platform
Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.
Note 2: This issue only impacts systems with SUNWgnutls installed. To determine if this package is installed run the following command:
$ pkginfo SUNWgnutls
EVO146 SUNWgnutls GNU Transport Layer Security Library
Note 3: This issue only affects the GnuTLS library versions prior to 1.4.4. To determine the version of the GnuTLS library on the system the following command can be run:
$ pkginfo -l SUNWgnutls | grep VERSION
VERSION: 0.9.5,REV=10.0.3.2004.12.15.17.59
Note 4: The Solaris 10 patches which address this issue do not increment the version of GnuTLS. The version of GnuTLS supplied with the patches will still be reported as 0.9.5.
Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Workaround
There is no workaround for this issue.
Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
