Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 345767 (CVE-2010-3864)

Summary: <dev-libs/openssl-{0.9.8p,1.0.0b-r1}: Buffer Overflow Vulnerability (CVE-2010-3864)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: blocker CC: axiator, brant, bugsgentoo, mno2go, ole+gentoo, phmagic
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://openssl.org/news/secadv_20101116.txt
Whiteboard: A0 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 346759    
Bug Blocks:    
Attachments:
Description Flags
Build log none

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-16 16:04:42 UTC
From $URL:

TLS extension parsing race condition.
=====================================

A flaw has been found in the OpenSSL TLS server extension code parsing which
on affected servers can be exploited in a buffer overrun attack.

The OpenSSL security team would like to thank Rob Hulswit for reporting this
issue.

The fix was developed by Dr Stephen Henson of the OpenSSL core team.

This vulnerability is tracked as CVE-2010-3864

Who is affected?
=================

All versions of OpenSSL supporting TLS extensions contain this vulnerability
including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses
OpenSSL's internal caching mechanism. Servers that are multi-process and/or
disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal
caching) and Stunnel (which includes its own workaround) are NOT affected.

Recommendations for users of OpenSSL
=====================================

Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update
to the OpenSSL 0.9.8p release which contains a patch to correct this issue.

Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release
which contains a patch to correct this issue.

If upgrading is not immediately possible, the relevant source code patch
provided in this advisory should be applied.
Comment 1 Brant Gurganus 2010-11-17 03:41:26 UTC
1.0.0b as in the tree now has the issue that slipped out and caught by the test cases. See the thread at https://groups.google.com/group/mailing.openssl.users/browse_thread/thread/f823f3163070e7d5#

There is a patch available.
Comment 2 Agostino Sarubbo gentoo-dev 2010-11-17 11:41:54 UTC
Created attachment 254619 [details]
Build log

Shorten the time. I guess this will become a stablereq, so I already leave my feedback.
Openssl-1.0.0b fails test, but it runs ( amd64 )
Openssl-1.0.0b fails test, but it runs ( x86 )

Openssl-0.9.8p ok ( amd64 )
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-11-17 11:54:06 UTC
What's the point of stating "tests fail" and then attaching a log without any test result at all? Beside the fact that Brant already reported that upstream knows about the failure and we need a -r1?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-11-17 12:11:43 UTC
1.0.0b-r1 is in tree with the upstream patch, thanks Brant.

All tests pass now.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-11-17 14:37:10 UTC
Thanks, Diego.

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8p
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-1.0.0b-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"


Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-11-17 14:57:30 UTC
(In reply to comment #5)
> Arches, please test and mark stable:
> =dev-libs/openssl-0.9.8p
> Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Do note that SLOT="0.9.8" is only for binary programs, and only amd64 and x86 has such dependencies in tree.  
Others may wish to skip SLOT="0.9.8" and only get SLOT="0" to avoid unnecessary testing.
Comment 7 Agostino Sarubbo gentoo-dev 2010-11-17 15:25:54 UTC
(In reply to comment #3)
> What's the point of stating "tests fail" and then attaching a log without any
> test result at all? Beside the fact that Brant already reported that upstream
> knows about the failure and we need a -r1?
> 

sorry, I have attached a log wrong, and I did not realize the message of Brant.

Quiet, nothing happened ;)

Anyway:
=dev-libs/openssl-1.0.0b-r1 ok on amd64.
=dev-libs/openssl-0.9.8p ok ( already tested previously )
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-17 15:38:32 UTC
Stable for HPPA PPC.
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2010-11-17 18:38:52 UTC
x86 done, thanks.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-11-17 20:16:51 UTC
amd64 done. Thanks Agostino
Comment 11 Markus Meier gentoo-dev 2010-11-19 13:49:53 UTC
arm stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-11-21 11:25:48 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2010-11-28 14:35:26 UTC
ppc64 done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2010-11-28 15:26:16 UTC
Thanks, everyone. GLSA with bug 332027.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:52:55 UTC
CVE-2010-3864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3864):
  Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o,
  1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on
  a TLS server, might allow remote attackers to execute arbitrary code via
  client data that triggers a heap-based buffer overflow, related to (1) the
  TLS server name extension and (2) elliptic curve cryptography.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:42 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:42 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).