Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 397695 (CVE-2011-4108) - <dev-libs/openssl-{0.9.8s,1.0.0f}-r1: multiple vulnerabilities (CVE-2011-{4108,4109,4576,4577,4619},CVE-2012-0027)
Summary: <dev-libs/openssl-{0.9.8s,1.0.0f}-r1: multiple vulnerabilities (CVE-2011-{410...
Status: RESOLVED FIXED
Alias: CVE-2011-4108
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://openssl.org/news/secadv_201201...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-04 20:20 UTC by Hanno Böck
Modified: 2012-03-06 02:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2012-01-04 20:20:40 UTC
Six issues have been fixed within openssl 1.0.0f and 0.9.8s:
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
Invalid GOST parameters DoS Attack (CVE-2012-0027)
From
http://openssl.org/news/secadv_20120104.txt
Comment 1 SpanKY gentoo-dev 2012-01-04 21:44:21 UTC
both versions now in the tree
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-01-04 21:54:07 UTC
Thanks, and apologies for the bugspam.

Arches, please test and mark stable:
=dev-libs/openssl-1.0.0f
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-0.9.8s
Target keywords : "amd64 x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-05 17:15:36 UTC
Needs
=sys-libs/zlib-1.2.5.1-r2
too.
Comment 4 Michael Harrison 2012-01-05 22:53:40 UTC
amd64 ok
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2012-01-05 23:33:54 UTC
(In reply to comment #3)
> Needs
> =sys-libs/zlib-1.2.5.1-r2
> too.

I doubt everything in ~arch even builds against this version yet, due to the gentoo specific "OF" macro change

Enough to stop any stabilization(s) for now
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-01-06 11:49:02 UTC
CVE-2012-0027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0027):
  The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid
  parameters for the GOST block cipher, which allows remote attackers to cause
  a denial of service (daemon crash) via crafted data from a TLS client.

CVE-2011-4619 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4619):
  The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s
  and 1.x before 1.0.0f does not properly handle handshake restarts, which
  allows remote attackers to cause a denial of service via unspecified
  vectors.

CVE-2011-4577 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4577):
  OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is
  enabled, allows remote attackers to cause a denial of service (assertion
  failure) via an X.509 certificate containing certificate-extension data
  associated with (1) IP address blocks or (2) Autonomous System (AS)
  identifiers.

CVE-2011-4576 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4576):
  The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f
  does not properly initialize data structures for block cipher padding, which
  might allow remote attackers to obtain sensitive information by decrypting
  the padding data sent by an SSL peer.

CVE-2011-4109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4109):
  Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when
  X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an
  unspecified impact by triggering failure of a policy check.

CVE-2011-4108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4108):
  The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f
  performs a MAC check only if certain padding is valid, which makes it easier
  for remote attackers to recover plaintext via a padding oracle attack.
Comment 7 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-01-08 09:24:44 UTC
amd64: ok
Comment 8 Agostino Sarubbo gentoo-dev 2012-01-09 21:20:03 UTC
(In reply to comment #5)
> I doubt everything in ~arch even builds against this version yet, due to the
> gentoo specific "OF" macro change
> 
> Enough to stop any stabilization(s) for now

Ok, if the stabilization is blocked, no need arch teams here.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-01-09 21:25:33 UTC
Adding depend on 384483, please correct if there is a more appropriate bug to track. Thanks.

Or, is there a way in which we can fix these security issues with the current stable zlib?
Comment 10 SpanKY gentoo-dev 2012-01-11 00:13:02 UTC
openssl-0.9.8s has never needed =sys-libs/zlib-1.2.5.1-r2

openssl-1.0.0f did need newer zlib, but that's fixed in 1.0.0f-r1.  no reason to not stable things now then.

targets: 0.9.8s-r1 1.0.0f-r1
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-01-11 00:40:57 UTC
(In reply to comment #10)
> openssl-0.9.8s has never needed =sys-libs/zlib-1.2.5.1-r2
> 
> openssl-1.0.0f did need newer zlib, but that's fixed in 1.0.0f-r1.  no reason
> to not stable things now then.
> 
> targets: 0.9.8s-r1 1.0.0f-r1

great, thanks.

Arches, please test and mark stable:
=dev-libs/openssl-1.0.0f-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-0.9.8s-r1
Target keywords : "amd64 x86"
Comment 12 Agostino Sarubbo gentoo-dev 2012-01-11 11:28:59 UTC
amd64 stable.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2012-01-11 19:16:32 UTC
Stable for HPPA.
Comment 14 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-01-12 17:32:26 UTC
x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2012-01-14 18:26:35 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2012-01-16 19:55:48 UTC
ppc/ppc64 done
Comment 17 Agostino Sarubbo gentoo-dev 2012-01-16 19:59:13 UTC
Thanks everyone, filed new glsa request.
Comment 18 Gerrit Helm 2012-01-20 16:23:45 UTC
Outdated by Bug #399365
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:15:19 UTC
This issue was resolved and addressed in
 GLSA 201203-12 at http://security.gentoo.org/glsa/glsa-201203-12.xml
by GLSA coordinator Sean Amoss (ackle).