Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 322575

Summary: <dev-libs/openssl-0.9.8o: CMS structures containing OriginatorInfo mishandled (CVE-2010-{0742,1633})
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openssl.org/news/secadv_20100601.txt
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:20:39 UTC 
See $URL.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:21:53 UTC 
Rating as B as CMS is disabled by default.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:22:39 UTC 
Arches, please test and mark stable:
=dev-libs/openssl-0.9.8o
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-03 14:31:17 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-03 18:05:34 UTC 
Stable for HPPA.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-04 13:06:53 UTC 
CC'ing maintainer..
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-05 18:13:12 UTC 
CVE-2010-0742 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742):
  The Cryptographic Message Syntax (CMS) implementation in
  crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a
  does not properly handle structures that contain OriginatorInfo,
  which allows context-dependent attackers to modify invalid memory
  locations or conduct double-free attacks, and possibly execute
  arbitrary code, via unspecified vectors.

CVE-2010-1633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633):
  RSA verification recovery in the EVP_PKEY_verify_recover function in
  OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other
  applications, returns uninitialized memory upon failure, which might
  allow context-dependent attackers to bypass intended key requirements
  or obtain sensitive information via unspecified vectors.  NOTE: some
  of these details are obtained from third party information.
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-06-07 05:04:45 UTC 
Marked ppc/ppc64 stable.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-07 21:53:21 UTC 
CVE-2010-0742: CMS bisabled by default
CVE-2010-1633: only present in 1.x (we only have it masked)

-> Rerating C
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-08 15:09:12 UTC 
(In reply to comment #8)
> CVE-2010-0742: CMS bisabled by default
> CVE-2010-1633: only present in 1.x (we only have it masked)
> 
> -> Rerating C
> 

That's why I rated it as B, otherwise it would have been A.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-08 20:36:05 UTC 
base-system: It appears that our 0.x ebuilds do not allow to build with CMS. Please confirm this.
Comment 11 SpanKY gentoo-dev 2010-06-08 20:49:42 UTC 
sounds about right.  ive never added a USE flag for it, so our default should match the upstream default.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-06-20 18:00:41 UTC 
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 13 Markus Meier gentoo-dev 2010-06-21 20:44:03 UTC 
amd64 stable, all arches done.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-09-07 19:03:07 UTC 
GLSA with bug 303739 and bug 308011.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:28 UTC 
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:28 UTC 
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).