Summary: | <dev-libs/openssl-1.0.0a-r3: double free error (CVE-2010-2939) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, esigra, polynomial-c |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.info/?t=128118169100001&r=1&w=2 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 330437 | ||
Bug Blocks: |
Description
Hanno Böck
![]() +*openssl-1.0.0a-r1 (10 Aug 2010) + + 10 Aug 2010; Samuli Suominen <ssuominen@gentoo.org> + +openssl-1.0.0a-r1.ebuild, +files/openssl-1.0.0a-fix-double-free.patch, + +files/openssl-1.0.0a-ldflags.patch: + Use environment LDFLAGS wrt #327421 by Olivier Huber. Fix double free wrt + #332027 by Hanno Boeck. Since it's only ~arch, close as FIXED ? yes, security does not track ~arch Just fixing the whiteboard… According to a post on oss-security, this is also an issue in 0.9.8: http://article.gmane.org/gmane.comp.security.oss.general/3298 ive added the patch to openssl-0.9.8o-r2, so that i imagine should see some testing and a stable push (if someone wants to update the whiteboard) CVE-2010-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939): Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. Sorry about the delay. Arches, please test and mark stable: =dev-libs/openssl-0.9.8o-r2 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" How much work has been put into making sure that OpenSSL 1.0.0 works with the stable tree? Samuli, I think you invested most time into this thingie. (In reply to comment #8) > How much work has been put into making sure that OpenSSL 1.0.0 works with the > stable tree? Samuli, I think you invested most time into this thingie. Forget about this comment. But: This blocker is somehow fatal, as an unmerge of the old OpenSSL leads to wget not working anymore, which makes an update impossible. Is there a known workaround? I tried porting to EAPI 2 for the new blocker syntax, but that did not work out here. USE="gmp kerberos sse2" gatt -w 332027 =dev-libs/openssl-0.9.8o-r2 +m+ resolving masked dependencies... +m+ executing 'FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts'... +m+ waiting for "FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts"... [ebuild NS ] dev-libs/openssl-0.9.8o-r2 [0.9.8o] [blocks B ] =dev-libs/openssl-0.9.8*:0 ("=dev-libs/openssl-0.9.8*:0" is blocking dev-libs/openssl-0.9.8o-r2) * Error: The above package list contains packages which cannot be * installed at the same time on the same system. ('installed', '/', 'dev-libs/openssl-0.9.8o', 'nomerge') pulled in by >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-server-6.1.1', 'nomerge') >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-odbc-6.1.1', 'nomerge') ('ebuild', '/', 'dev-libs/openssl-0.9.8o-r2', 'merge') pulled in by dev-libs/openssl required by ('installed', '/', 'media-video/gpac-0.4.5-r1', 'nomerge') dev-libs/openssl required by ('installed', '/', 'net-fs/netatalk-2.0.5-r1', 'nomerge') dev-libs/openssl required by ('installed', '/', 'dev-lang/python-3.1.2-r4', 'nomerge') encfs-1.7.2 fails to configure with 0.9.8o-r2 but it works with 0.9.8o. I wonder if there are more packages that fail with this version of openssl. SLOT="0.9.8" of openssl-0.9.8* is not ready yet. SLOT="0" of openssl-1.0.0* is not ready yet. I don't know why arch's are in CC here, I don't see anything that's ready to be stabilized from this bug yet. Bug 330437 tracks the future OpenSSL 1.0.0 stabilization, arch's are not CCd in there yet for a purpose. The stabilization is now proceeding in bug 330437. Adding arch's back so they know this is a security issue: See bug 330437 for stabilization. Stable for HPPA PPC. arm/ia64/m68k/s390/sh/sparc stable x86 stable, last arch. Updated whiteboard to GLSA request. This will get a GLSA together with #303739 #308011 and #322575. This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). This issue was resolved and addressed in 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). |