Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 567476 (CVE-2015-1794) - <dev-libs/openssl-{0.9.8z_p8,1.0.2e}: Multiple vulnerabilities (CVE-2015-{1794,3193,3194,3195,3196})
Summary: <dev-libs/openssl-{0.9.8z_p8,1.0.2e}: Multiple vulnerabilities (CVE-2015-{179...
Status: RESOLVED FIXED
Alias: CVE-2015-1794
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mta.openssl.org/pipermail/ope...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-03 16:19 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-06-20 09:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-03 16:19:47 UTC
OpenSSL Security Advisory [3 Dec 2015]
=======================================

NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================

Severity: Moderate

The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q

This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.

X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================

Severity: Moderate

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.

This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh

This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.

Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================

Severity: Low

If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.

This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.

OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t

The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).

The fix was developed by Dr. Stephen Henson of the OpenSSL development team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-12-03 16:30:50 UTC
Working on the bumps...
Comment 2 SpanKY gentoo-dev 2015-12-03 17:10:53 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)

there wasn't a bug when i started ;)

http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db5c05c662167d9b25fb6d7404663a9a5138fe7
Comment 3 SpanKY gentoo-dev 2015-12-03 17:11:34 UTC
we aren't bothering with 1.0.[01] anymore since 1.0.2 covers the same ABI and is already in stable
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-03 19:02:10 UTC
Please be aware that upstream is acting like a fool and replaced the release files in-place c.f. https://mta.openssl.org/pipermail/openssl-announce/2015-December/000051.html.
Comment 5 SpanKY gentoo-dev 2015-12-03 19:58:33 UTC
(In reply to Kristian Fiskerstrand from comment #4)

i've uploaded the new ones to dev for pushing to the mirrors

updated the main tree now too:
http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88560c8e2a93aad3fa621c286e4adf651b119870
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-04 09:18:56 UTC
(In reply to SpanKY from comment #5)
> (In reply to Kristian Fiskerstrand from comment #4)
> 
> i've uploaded the new ones to dev for pushing to the mirrors
> 

Thanks. Has this been tested sufficiently to stabilize it? I haven't encountered any issues on my own systems at least*

* as long as the fresh dep on =app-misc/c_reshash-1.7-r1 is installed simultaneously anyways, so this will have to be stabilized along with it.
Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-04 14:48:13 UTC
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=============================================================

[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.

Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
============================================================

Severity: Low

If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
fix was developed by Matt Caswell of the OpenSSL development team.
Comment 8 SpanKY gentoo-dev 2015-12-04 22:13:23 UTC
(In reply to Kristian Fiskerstrand from comment #6)

should be fine to stabilize it all.  the diff between the two vers doesn't look that scary.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-05 13:21:33 UTC
(In reply to SpanKY from comment #8)
> (In reply to Kristian Fiskerstrand from comment #6)
> 
> should be fine to stabilize it all.  the diff between the two vers doesn't
> look that scary.

Arches, please stabilize
=app-misc/c_rehash-1.7-r1
=dev-libs/openssl-1.0.2e
Stable targets: alpha amd64 arm hppa ia64 ppc64 ppc sparc x86
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-05 20:40:36 UTC
Stable for HPPA PPC64.
Comment 11 Matt Turner gentoo-dev 2015-12-06 22:11:15 UTC
(In reply to Kristian Fiskerstrand from comment #9)
> (In reply to SpanKY from comment #8)
> > (In reply to Kristian Fiskerstrand from comment #6)
> > 
> > should be fine to stabilize it all.  the diff between the two vers doesn't
> > look that scary.
> 
> Arches, please stabilize
> =app-misc/c_rehash-1.7-r1
> =dev-libs/openssl-1.0.2e
> Stable targets: alpha amd64 arm hppa ia64 ppc64 ppc sparc x86

The bug title implies we should be stabilizing =dev-libs/openssl-0.9.8z as well. Should we?
Comment 12 Matt Turner gentoo-dev 2015-12-06 23:04:20 UTC
alpha stable (please re-Cc if we need to stabilize =dev-libs/openssl-0.9.8z_p8)
Comment 13 Agostino Sarubbo gentoo-dev 2015-12-07 08:55:31 UTC
(In reply to Matt Turner from comment #11)
> The bug title implies we should be stabilizing =dev-libs/openssl-0.9.8z as
> well. Should we?

CVE-2015-3195 reports 0.9.8 as affected, so yes.
Comment 14 Agostino Sarubbo gentoo-dev 2015-12-07 10:03:55 UTC
amd64 stable
Comment 15 SpanKY gentoo-dev 2015-12-07 18:55:04 UTC
(In reply to Agostino Sarubbo from comment #13)

we can probably drop stable from 0.9.8 and see if anyone cares
Comment 16 Markus Meier gentoo-dev 2015-12-09 05:48:44 UTC
arm stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-12-11 11:01:56 UTC
ia64 stable
Comment 18 SpanKY gentoo-dev 2015-12-13 01:37:03 UTC
arm64/m68k/s390/sh/sparc/x86 stable
Comment 19 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:27 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Agostino Sarubbo gentoo-dev 2015-12-26 12:17:12 UTC
(In reply to SpanKY from comment #15)
> (In reply to Agostino Sarubbo from comment #13)
> 
> we can probably drop stable from 0.9.8 and see if anyone cares

for now, from my searches, I guess you can drop the old version and keep the latest version stable only for amd64/x86.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 01:11:16 UTC
Can we please Mask 0.9.8z_p7 since it will pull in vulnerable version for everything but amd64/x86?
Comment 22 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 08:28:05 UTC
Adding additional CVE. This will assist when determining what versions to cleanup

CVE-2015-3197:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3197

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
Comment 23 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 08:34:50 UTC
Thankfully the versions are lining up but here is another CVE:

CVE-2016-0701:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0701

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
Comment 24 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-26 15:15:08 UTC
(In reply to Aaron Bauman from comment #23)
> Thankfully the versions are lining up but here is another CVE:
> 
> CVE-2016-0701:
> [..]

Thanks for the effort, but CVE-2015-3197 and CVE-2016-0701 were handled in bug 572854. Unfortunately, we missed the bug at hand when we released GLSA 201601-05. I suppose in order to avoid confusing people, we can just retroactively add this bug to GLSA 201601-05.
Comment 25 Tobias Heinlein (RETIRED) gentoo-dev 2016-02-26 15:32:47 UTC
I have added the CVEs to GLSA 201601-05 now. The 1.0.1 and 1.0.2 versions already superseded the ones here, so I only added the unaffected versions for 0.9.8.

Only cleanup remaining.
Comment 26 Doug Goldstein (RETIRED) gentoo-dev 2016-02-26 22:39:37 UTC
So based on this we need to remove:
- 0.9.8z_p7
- 1.0.1p
- 1.0.1r
- 1.0.2e

I'll do 1.0.1p, 1.0.1r and 1.0.2e as one commit and then 0.9.8z_p7 as another commit in case we need to bring it back though we'd probably just say stabilize 0.9.8z_p8 instead.
Comment 27 Doug Goldstein (RETIRED) gentoo-dev 2016-02-26 22:47:37 UTC
Thanks for the report. re: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e47b9611f34d6141b0e389e94e0b84135afa25ba
Comment 28 Doug Goldstein (RETIRED) gentoo-dev 2016-02-26 22:50:43 UTC
Thanks for the report. re: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47f53172d2f6e2beaddb1c072d62e51de3884111
Comment 29 Aaron Bauman (RETIRED) gentoo-dev 2016-06-20 09:07:41 UTC
Cleanup complete and bug was added to previous GLSA per previous comments.

This issue was resolved and addressed in
 GLSA 201601-05 at https://security.gentoo.org/glsa/201601-05
by GLSA coordinator Tobias Heinlein (keytoaster).