Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308011 (CVE-2009-3245)

Summary: <dev-libs/openssl-0.9.8n Multiple vulnerabilities (CVE-2009-3245,CVE-2010-{0433,0740})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, bernd, bircoph, cilly, josh, ole+gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:27:35 UTC 
CVE-2009-3245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245):
  OpenSSL before 0.9.8m does not check for a NULL return value from
  bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2)
  crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4)
  engines/e_ubsec.c, which has unspecified impact and context-dependent
  attack vectors.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:28:16 UTC 
base-system: please provide an updated ebuild.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-06 15:42:19 UTC 
0.9.8m is already in tree, as per bug #306925.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:45:54 UTC 
I'm going through all the bugs right now...adding another one.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:49 UTC 
CVE-2010-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433):
  The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before
  0.9.8n, when Kerberos is enabled but Kerberos configuration files
  cannot be opened, does not check a certain return value, which allows
  remote attackers to cause a denial of service (NULL pointer
  dereference and daemon crash) via SSL cipher negotiation, as
  demonstrated by a chroot installation of Dovecot or stunnel without
  Kerberos configuration files inside the chroot.
Comment 5 SpanKY gentoo-dev 2010-03-06 23:54:42 UTC 
openssl-0.9.8n hasnt been released yet
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-12 11:09:58 UTC 
*** Bug 308807 has been marked as a duplicate of this bug. ***
Comment 7 cilly 2010-03-12 11:47:40 UTC 
rather marking dups, please stabilize openssl-0.9.8m
Comment 8 Bernd Marienfeldt 2010-03-12 11:53:27 UTC 
(In reply to comment #7)
> rather marking dups, please stabilize openssl-0.9.8m
> 

Agreed. I would like to know why the stabilization is a problem ?
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-12 12:24:34 UTC 
(In reply to comment #7)
> rather marking dups, please stabilize openssl-0.9.8m
> 

Cilly, don't file multiple bugs for the same issue(s).

The current m version does not have a fix for CVE-2010-0433.
If base-system provides an updated m reversion, we can stable that.
Patch is available at http://cvs.openssl.org/chngview?cn=19374
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-24 14:34:35 UTC 
0.9.8n has been released today.
Comment 11 SpanKY gentoo-dev 2010-03-25 06:26:14 UTC 
dev-libs/openssl-0.9.8n now in the tree
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-25 10:06:28 UTC 
Thanks!

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8n
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-25 13:21:41 UTC 
x86 stable
Comment 14 Andrew Savchenko gentoo-dev 2010-03-25 15:23:49 UTC 
(In reply to comment #11)
> dev-libs/openssl-0.9.8n now in the tree

Should GLSA be issued then? I found this report only by accident and the CVE is very serious.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-25 15:50:17 UTC 
(In reply to comment #14)
> Should GLSA be issued then? I found this report only by accident and the CVE is
> very serious.

Of course, as soon as it has been stabilised on all arches. (And as soon as we have sufficient manpower to actually write the GLSA :)
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-25 18:34:56 UTC 
Stable for HPPA.
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-25 18:59:07 UTC 
Stable for PPC.
Comment 18 Brent Baude (RETIRED) gentoo-dev 2010-03-26 14:03:01 UTC 
ppc64 done
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2010-03-28 13:19:32 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 20 Markus Meier gentoo-dev 2010-03-29 21:49:25 UTC 
amd64 stable, all arches done.
Comment 21 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:46:46 UTC 
CVE-2010-0740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740):
  The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
  through 0.9.8m allows remote attackers to cause a denial of service
  (crash) via a malformed record in a TLS connection that triggers a
  NULL pointer dereference, related to the minor version number.  NOTE:
  some of these details are obtained from third party information.
Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-31 11:11:23 UTC 
Rerating.
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-31 11:13:21 UTC 
GLSA request filed.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:21 UTC 
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:22 UTC 
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).