Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251346 (CVE-2008-5077) - dev-libs/openssl <0.9.8j DSA/ECDSA Incorrect certificate signature verification (CVE-2008-5077)
Summary: dev-libs/openssl <0.9.8j DSA/ECDSA Incorrect certificate signature verificati...
Status: RESOLVED FIXED
Alias: CVE-2008-5077
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://openssl.org/news/secadv_200901...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-17 18:55 UTC by Robert Buchholz (RETIRED)
Modified: 2009-02-19 10:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
openssl-0.9.8i-CVE-2008-5077.patch (openssl-0.9.8i-CVE-2008-5077.patch,5.37 KB, patch)
2008-12-17 18:58 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
openssl-0.9.8j.ebuild (openssl-0.9.8j.ebuild,5.98 KB, text/plain)
2009-01-07 18:13 UTC, Tony Vroon (RETIRED)
no flags Details
openssl-0.9.8j-parallel-build.patch (openssl-0.9.8j-parallel-build.patch,812 bytes, patch)
2009-01-07 18:13 UTC, Tony Vroon (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:55:48 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

OpenSSL Security Advisory [07-Jan-2009]

Incorrect checks for malformed signatures
-------------------------------------------

Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

The OpenSSL security team would like to thank the Google Security Team
for reporting this issue.

Who is affected?
-----------------

Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client
when connecting to a server whose certificate contains a DSA or ECDSA key.

Use of OpenSSL as an SSL/TLS client when connecting to a server whose
certificate uses an RSA key is NOT affected.

Verification of client certificates by OpenSSL servers for any key type
is NOT affected.

Recommendations for users of OpenSSL
------------------------------------

Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release
which contains a patch to correct this issue.

The patch used is also appended to this advisory for users or
distributions who wish to backport this patch to versions they build
from source. Please note: this patch also includes fixes for a
few other cases where return codes are not correctly checked, but
these do not have a security implication

Recommendations for projects using OpenSSL
------------------------------------------

Projects and products using OpenSSL should audit any use of the
routine EVP_VerifyFinal() to ensure that the return code is being
correctly handled.  As documented, this function returns 1 for a
successful verification, 0 for failure, and -1 for an error.

General recommendations
-----------------------

Any SSL/TLS server with clients that OpenSSL to verify DSA or ECDSA
certificates, regardless of the software used by the server, should
either ensure that all clients are upgraded or should stop using
DSA/ECDSA certificates. Note that unless certificates are revoked
(and clients check for revocation) impersonation will still be
possible until the certificate expires.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 18:58:16 UTC
Created attachment 175631 [details, diff]
openssl-0.9.8i-CVE-2008-5077.patch

Please prepare an ebuild applying this patch and attach it to the bug, we'll handle prestable testing here. Do not commit anything to CVS.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-07 13:28:41 UTC
This is now public via http://openssl.org/news/secadv_20090107.txt.

Please apply the patch in the tree.
Comment 3 Tony Vroon (RETIRED) gentoo-dev 2009-01-07 18:13:25 UTC
Created attachment 177699 [details]
openssl-0.9.8j.ebuild
Comment 4 Tony Vroon (RETIRED) gentoo-dev 2009-01-07 18:13:59 UTC
Created attachment 177700 [details, diff]
openssl-0.9.8j-parallel-build.patch
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2009-01-07 18:28:55 UTC
(Still broken for parallel building, please wait for an updated ebuild)
Comment 6 Peter Alfredsen (RETIRED) gentoo-dev 2009-01-08 11:46:36 UTC
+*openssl-0.9.8j (08 Jan 2009)
+
+  08 Jan 2009; Peter Alfredsen <loki_val@gentoo.org>
+  +files/openssl-0.9.8j-parallel-build.patch, +openssl-0.9.8j.ebuild:
+  Bump, bug 254183 and CVE-2008-5077, bug 251346. Parallel build fails
+  horribly, forcing -j1. Since we don't install fips, sedded that part out
+  of the root makefile to get around a build failure.
+
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-01-08 12:45:23 UTC
Arches, please test and mark stable:
=dev-libs/openssl-0.9.8j
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-01-08 15:52:49 UTC
Stable for HPPA.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-01-08 16:18:09 UTC
ppc and ppc64 done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-01-09 09:50:36 UTC
alpha/sparc/x86 stable, need to look at ia64 test failure...
Comment 11 Markus Meier gentoo-dev 2009-01-10 10:05:12 UTC
amd64 stable
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:07:25 UTC
request filed
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 21:09:58 UTC
GLSA 200902-02
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2009-02-19 10:40:37 UTC
arm/m68k/s390/sh were done, and ia64 stable now :)