On Fri, 29 Nov 2013, Marc Deslauriers wrote:

> I was just looking at the patch for CVE-2013-4545
> (http://curl.haxx.se/docs/adv_20131115.html), and I believe the GnuTLS
> backend has the same problem.

...

> This either needs to be fixed, or if the backend doesn't support it, the
> curl_easy_setopt documentation needs to be updated.

Right, thanks a lot for your report and I agree with your analysis. This needs
to be fixed, as the backend clearly support it. Grrrr.

This bug was independently introduced for the GnuTLS backend with commit
59cf93cc in 7.21.4 and still exists. Clearly a case of sloppy code review on
my part! ;-(

This simple fix should be enough:

--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -635,7 +635,6 @@ gtls_connect_step3(struct connectdata *conn,
    }
    else {
      infof(data, "\t server certificate verification SKIPPED\n");
- goto after_server_cert_verification;
    }

    /* initialize an X.509 certificate structure. */
@@ -766,8 +765,6 @@ gtls_connect_step3(struct connectdata *conn,

    gnutls_x509_crt_deinit(x509_cert);

-after_server_cert_verification:
-
    /* compression algorithm (if any) */
    ptr = gnutls_compression_get_name(gnutls_compression_get(session));
    /* the *_get_name() says "NULL" if GNUTLS_COMP_NULL is returned */

I clearly need to produce an independent patch and update the advisory.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html