Bug 332027 (CVE-2010-2939)

Comment 1 Samuli Suominen (RETIRED) 2010-08-10 21:05:10 UTC

+*openssl-1.0.0a-r1 (10 Aug 2010)
+
+  10 Aug 2010; Samuli Suominen <ssuominen@gentoo.org>
+  +openssl-1.0.0a-r1.ebuild, +files/openssl-1.0.0a-fix-double-free.patch,
+  +files/openssl-1.0.0a-ldflags.patch:
+  Use environment LDFLAGS wrt #327421 by Olivier Huber. Fix double free wrt
+  #332027 by Hanno Boeck.

Since it's only ~arch, close as FIXED ?

Comment 2 SpanKY 2010-08-10 21:07:07 UTC

yes, security does not track ~arch

Comment 3 Alex Legler (RETIRED) 2010-08-10 21:16:30 UTC

Just fixing the whiteboard…

Comment 4 Hanno Böck 2010-08-12 17:03:17 UTC

According to a post on oss-security, this is also an issue in 0.9.8:
http://article.gmane.org/gmane.comp.security.oss.general/3298

Comment 5 SpanKY 2010-08-14 05:53:56 UTC

ive added the patch to openssl-0.9.8o-r2, so that i imagine should see some testing and a stable push (if someone wants to update the whiteboard)

Comment 6 Stefan Behte (RETIRED) 2010-09-03 22:31:05 UTC

CVE-2010-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939):
  Double free vulnerability in the ssl3_get_key_exchange function in
  the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7,
  and possibly other versions, when using ECDH, allows
  context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted private key with an
  invalid prime.  NOTE: some sources refer to this as a use-after-free
  issue.

Comment 7 Tobias Heinlein (RETIRED) 2010-09-07 19:10:50 UTC

Sorry about the delay.

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8o-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 8 Christian Faulhammer (RETIRED) 2010-09-08 10:37:11 UTC

How much work has been put into making sure that OpenSSL 1.0.0 works with the stable tree?  Samuli, I think you invested most time into this thingie.

Comment 9 Christian Faulhammer (RETIRED) 2010-09-08 10:51:58 UTC

(In reply to comment #8)
> How much work has been put into making sure that OpenSSL 1.0.0 works with the
> stable tree?  Samuli, I think you invested most time into this thingie.

 Forget about this comment.  But: This blocker is somehow fatal, as an unmerge of the old OpenSSL leads to wget not working anymore, which makes an update impossible.  Is there a known workaround?  I tried porting to EAPI 2 for the new blocker syntax, but that did not work out here.

USE="gmp kerberos sse2" gatt -w 332027 =dev-libs/openssl-0.9.8o-r2
+m+ resolving masked dependencies...
+m+ executing 'FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts'...
+m+ waiting for "FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts"...
[ebuild  NS   ] dev-libs/openssl-0.9.8o-r2 [0.9.8o]
[blocks B     ] =dev-libs/openssl-0.9.8*:0 ("=dev-libs/openssl-0.9.8*:0" is blocking dev-libs/openssl-0.9.8o-r2)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  ('installed', '/', 'dev-libs/openssl-0.9.8o', 'nomerge') pulled in by
    >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-server-6.1.1', 'nomerge')
    >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-odbc-6.1.1', 'nomerge')

  ('ebuild', '/', 'dev-libs/openssl-0.9.8o-r2', 'merge') pulled in by
    dev-libs/openssl required by ('installed', '/', 'media-video/gpac-0.4.5-r1', 'nomerge')
    dev-libs/openssl required by ('installed', '/', 'net-fs/netatalk-2.0.5-r1', 'nomerge')
    dev-libs/openssl required by ('installed', '/', 'dev-lang/python-3.1.2-r4', 'nomerge')

Comment 10 Markos Chandras (RETIRED) 2010-09-08 11:35:59 UTC

encfs-1.7.2 fails to configure with 0.9.8o-r2 but it works with 0.9.8o. I wonder if there are more packages that fail with this version of openssl. 

Comment 11 Samuli Suominen (RETIRED) 2010-09-08 12:00:37 UTC

SLOT="0.9.8" of openssl-0.9.8* is not ready yet. SLOT="0" of openssl-1.0.0* is not ready yet.
I don't know why arch's are in CC here, I don't see anything that's ready to be stabilized from this bug yet.
Bug 330437 tracks the future OpenSSL 1.0.0 stabilization, arch's are not CCd in there yet for a purpose.

Comment 12 Samuli Suominen (RETIRED) 2010-10-04 19:32:00 UTC

The stabilization is now proceeding in bug 330437.

Comment 13 Samuli Suominen (RETIRED) 2010-10-07 12:00:51 UTC

Adding arch's back so they know this is a security issue:

See bug 330437 for stabilization.

Comment 14 Jeroen Roovers (RETIRED) 2010-10-07 15:48:11 UTC

Stable for HPPA PPC.

Comment 15 Raúl Porcel (RETIRED) 2010-10-10 18:37:26 UTC

arm/ia64/m68k/s390/sh/sparc stable

Comment 16 Christian Faulhammer (RETIRED) 2010-10-11 07:08:08 UTC

x86 stable, last arch.  Updated whiteboard to GLSA request.

Comment 17 Stefan Behte (RETIRED) 2010-10-13 04:01:33 UTC

This will get a GLSA together with #303739 #308011 and #322575.

Comment 18 GLSAMaker/CVETool Bot 2011-10-09 15:37:34 UTC

This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).

Comment 19 GLSAMaker/CVETool Bot 2011-10-09 15:37:34 UTC

This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).