Quoting Secunia: (upstream advisory is more verbose) 1) An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate. 2) The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks. NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default). Successful exploitation requires access to a previously generated invalid signature. 3) An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate. NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void *" (e.g. WIN64).
0.9.8k now in the tree
Arches, please test and mark stable: =dev-libs/openssl-0.9.8k Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable note: repoman errors on all versions of this package: dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 129) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 130) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 134) dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 138)
(In reply to comment #3) > amd64 stable > > note: repoman errors on all versions of this package: > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 129) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 130) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 134) > dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug > (ebuild calls emake -j1 on line: 138) > I'll bite. Does that translate into: "Forcing 'emake -j1' because Upstream says parallel compilation fails" which is how I read it?
Sparc stable. All tests run as they should.
ppc and ppc64 done
Stable for HPPA.
CVE-2009-0590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0590): The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. CVE-2009-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0591): The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. CVE-2009-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0789): OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key.
x86 stable
alpha/arm/ia64/m68k/s390/sh stable
CVE-2009-0789 does not affect Gentoo.
CVE-2009-0591 does also not affect us, as we give the user no way to enable CMS.
GLSA 200904-08
