Summary: | <dev-libs/openssl-{1.0.1a, 1.0.0i, 0.9.8w}: ASN1 BIO vulnerability (CVE-2012-{2110,2131}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | base-system, whissi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://openssl.org/news/secadv_20120419.txt | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2012-04-19 14:21:21 UTC
Commit message: Version bump http://sources.gentoo.org/dev-libs/openssl/openssl-0.9.8v.ebuild?rev=1.1 http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.0i.ebuild?rev=1.1 http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.1a.ebuild?rev=1.1 Thanks, guys. Arches, please test and mark stable: =dev-libs/openssl-1.0.0i Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =dev-libs/openssl-0.9.8v Target keywords : "amd64 x86" Stable for HPPA. x86 stable amd64 stable alpha/arm/ia64/m68k/s390/sh/sparc stable openssl says the fix for 0.9.8 is incomplete and they've released 0.9.8w to fix it (CVE-2012-2131). 1.0.0 and 1.0.1 unaffected. http://openssl.org/news/secadv_20120424.txt Commit message: Version bump http://sources.gentoo.org/dev-libs/openssl/openssl-0.9.8w.ebuild?rev=1.1 CVE-2012-2110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2110): The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. CVE-2012-2131 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2131): Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. Sorry for the bugspam here. Let's handle CVE-2012-2131 here as well. Arches, please test and mark stable: =dev-libs/openssl-0.9.8w Target keywords : "amd64 x86" amd64 stable ppc stable x86 stable ppc64 done Thanks, everyone. Already in GLSA request. This issue was resolved and addressed in GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml by GLSA coordinator Chris Reffett (creffett). |