Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 270305 (CVE-2009-1377) - <dev-libs/openssl-0.9.8l DTLS Denial of Service (CVE-2009-{1377,1378,1379,1387})
Summary: <dev-libs/openssl-0.9.8l DTLS Denial of Service (CVE-2009-{1377,1378,1379,1387})
Status: RESOLVED FIXED
Alias: CVE-2009-1377
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on: 292022
Blocks:
  Show dependency tree
 
Reported: 2009-05-18 14:53 UTC by Robert Buchholz (RETIRED)
Modified: 2009-12-01 21:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
openssl-0.9.8-CVE-2009-1377.patch (openssl-0.9.8-CVE-2009-1377.patch,1.53 KB, patch)
2009-05-18 14:54 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
openssl-0.9.8-CVE-2009-1378.patch (openssl-0.9.8-CVE-2009-1378.patch,894 bytes, patch)
2009-05-18 14:54 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
openssl-0.9.8-CVE-2009-1379.patch (openssl-0.9.8-CVE-2009-1379.patch,662 bytes, patch)
2009-05-24 16:59 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 14:53:24 UTC
Two vulnerabilities have been reported in OpenSSL 0.9.8 and later that can lead to a Denial of Service in DTLS-enabled daemons:

CVE-2009-1377 epoch record buffer memory DoS

        http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
        http://marc.info/?l=openssl-dev&m=124247675613888&w=2
        http://cvs.openssl.org/chngview?cn=18187

CVE-2009-1378 DTLS fragment handling memory DoS

        http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
        http://marc.info/?t=124250665500033&r=1&w=2
        http://cvs.openssl.org/chngview?cn=18188
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 14:54:01 UTC
Created attachment 191674 [details, diff]
openssl-0.9.8-CVE-2009-1377.patch

openssl-0.9.8-CVE-2009-1377.patch as applied in CVS.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-05-18 14:54:42 UTC
Created attachment 191677 [details, diff]
openssl-0.9.8-CVE-2009-1378.patch

openssl-0.9.8-CVE-2009-1378.patch backport as proposed in the bug report.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-19 21:26:32 UTC
CVE-2009-1377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1377):
  The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k
  and earlier 0.9.8 versions allows remote attackers to cause a denial
  of service (memory consumption) via a large series of "future epoch"
  DTLS records that are buffered in a queue, aka "DTLS record buffer
  limitation bug."

CVE-2009-1378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1378):
  Multiple memory leaks in the dtls1_process_out_of_seq_message
  function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8
  versions allow remote attackers to cause a denial of service (memory
  consumption) via DTLS records that (1) are duplicates or (2) have
  sequence numbers much greater than current sequence numbers, aka
  "DTLS fragment handling memory leak."

Comment 5 Hanno Böck gentoo-dev 2009-05-20 09:10:38 UTC
CVE-2009-1379:
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-05-24 16:59:07 UTC
Created attachment 192323 [details, diff]
openssl-0.9.8-CVE-2009-1379.patch

Patch for CVE-2009-1379 as applied to CVS.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 21:42:18 UTC
CVE-2009-1387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1387):
  The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
  OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
  of service (NULL pointer dereference and daemon crash) via an
  out-of-sequence DTLS handshake message, related to a "fragment bug."

Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 21:42:43 UTC
Patch at: http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
Comment 9 SpanKY gentoo-dev 2009-11-05 20:07:00 UTC
ive added 0.9.8l with the patches for 137{7,8,9}, and 1387 seems to already be included
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-05 22:31:18 UTC
Stabilization via bug 292022.
Comment 11 SpanKY gentoo-dev 2009-11-21 03:09:47 UTC
CVE-2009-1387 wasnt in the 0.9.8l release, so i added it to 0.9.8l-r1
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-01 21:34:36 UTC
GLSA 200912-01