Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 148654

Summary: dev-libs/openssl Public keys DoS (CVE-2006-2940)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dberkholz, sgtphou
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3? []
Package list:
Runtime testing required: ---
Bug Depends on: 145510    
Bug Blocks:    
Attachments:
Description Flags
openssl-Bodo-CVE-2006-2940.patch
none
openssl-CVE-2006-2937.patch
none
openssl-CVE-2006-3738.patch
none
openssl-CVE-2006-4343.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-22 08:11:20 UTC 
This issue was previously communicated to you via NISCC as "parasitic
public keys" but without a patch.  Bodo and Steven have worked on a patch,
but it needs vendor testing.  Patch is attached and under embargo.

        Dr S N Henson of the OpenSSL core team and Open Network Security
        recently developed an ASN1 test suite for NISCC
        (www.niscc.gov.uk). When the test suite was run against OpenSSL a
        DoS was discovered.

        Certain types of public key can take disproportionate amounts of
        time to process. This could be used by an attacker in a denial of
        service attack. CVE-2006-2940

Now to correct this we put in place various limits, similar to what other
crypto libraries (such as NSS) do.

This patch is against 0.9.8.  Bodo said "Note that the ECC-related changes
can be omitted for 0.9.7, since the 0.9.7 branch contains a partial ECC
library, but does not integrate it into TLS and X.509!"

Please follow up on any testing to openssl-team as time is tight to get
this out by the embargo date, 20060928.  We'll come back next week with 
the final set of patches for all the 20060928 OpenSSL issues.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-22 08:13:29 UTC 
Created attachment 97750 [details, diff]
openssl-Bodo-CVE-2006-2940.patch
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-22 08:14:34 UTC 
Vapier if you have time please attach updated ebuilds for testing.

Note that we now have two OpenSSL issues for 200609-28 (the other is bug #145510)
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-24 22:30:18 UTC 
Created attachment 97994 [details, diff]
openssl-CVE-2006-2937.patch
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-24 22:30:36 UTC 
Created attachment 97995 [details, diff]
openssl-CVE-2006-3738.patch
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-24 22:30:48 UTC 
Created attachment 97996 [details, diff]
openssl-CVE-2006-4343.patch
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-24 22:35:16 UTC 
Now attached all patches scheduled for release the 28th.
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-19 05:57:09 UTC 
updating status whiteboard

handled in bug #145510
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-26 15:18:19 UTC 
bug 145510 fixed, with GLSA 200610-11