Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 455592

Summary: <dev-libs/openssl-{0.9.8y,1.0.1e-r1} : multiple vulnerabilities (CVE-2012-2686,CVE-2013-{0166,0169})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, rhill
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2013-02-05 13:14:48 UTC
Three vulnerabilities have been fixed with new openssl versions:
SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686)
OCSP invalid key DoS issue (CVE-2013-0166)

Regarding the first (CVE-2013-0169), the underlying problem is the weakness of the AES-CBC modes. As the only proper solution to that is to switch to TLS 1.2, I'd suggest we should advise users to switch to the 1.0.1-version if possible (1.0.0 and before don't support TLS 1.2). Stabilization of 1.0.1 is already happening in #454566.
Comment 2 Hanno Böck gentoo-dev 2013-02-06 00:20:02 UTC
*** Bug 455556 has been marked as a duplicate of this bug. ***
Comment 3 Hanno Böck gentoo-dev 2013-02-07 23:46:58 UTC
There seems to be a major regression in 1.0.1d (various bugs popping up), and openssl upstream intends to ship another release soon.

This is the supposedly fixing commit:;a=commitdiff;h=32cc247

I suggest waiting with stabilization for another openssl release.
Comment 4 Ryan Hill (RETIRED) gentoo-dev 2013-02-08 01:21:44 UTC
I've temporarily added 1.0.1d to package.mask (bug #456108).  Sorry if that causes any inconvenience.
Comment 5 Hanno Böck gentoo-dev 2013-02-11 16:19:01 UTC
1.0.1e is available upstream now.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-25 22:49:54 UTC
Thanks, Mike, Hanno, and Ryan. Are these ready for stabilization?

Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 21:51:44 UTC
CVE-2013-0169 (
  The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in
  OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider
  timing side-channel attacks on a MAC check requirement during the processing
  of malformed CBC padding, which allows remote attackers to conduct
  distinguishing attacks and plaintext-recovery attacks via statistical
  analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

CVE-2013-0166 (
  OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not
  properly perform signature verification for OCSP responses, which allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via an invalid key.

CVE-2012-2686 (
  crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1
  and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote
  attackers to cause a denial of service (application crash) via crafted CBC
Comment 8 Hanno Böck gentoo-dev 2013-03-19 09:34:16 UTC
What's holding this up? Is 1.0.0e ready for stabilization?
Comment 9 Hanno Böck gentoo-dev 2013-03-19 09:34:27 UTC
Sorry, I meant 1.0.1e.
Comment 10 Daniel Bumke 2013-04-19 15:32:34 UTC
Are we still waiting for something here?
Comment 11 Hanno Böck gentoo-dev 2013-05-25 08:32:09 UTC
Can please someone from security or openssl maintainers react here? This is a security bug, it seems its fixed since several months, just stabilization is waiting (so probably just cc arch's, I won't do it as I understand it that this is maintainers or security teams job).

Weird enough, it seems a bunch of stabilizations happened on an old, vulnerable openssl version in the meantime.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-09-02 11:26:03 UTC
(In reply to Sean Amoss from comment #6)
> Thanks, Mike, Hanno, and Ryan. Are these ready for stabilization?
> =dev-libs/openssl-0.9.8y
> =dev-libs/openssl-1.0.1e

base-system: ^

Likely 1.0.1e-r1 should be stabled now. Let's finally do that in a week if there is no feedback.
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:42:21 UTC
Timeout. Arches, please test and stabilize:
Target arches: amd64 x86

Target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 05:43:10 UTC
Sorry, should have been 1.0.1e-r1. Correct stable list:

Target arches: amd64 x86

Target arches: alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2013-09-12 15:08:50 UTC
Stable for HPPA.
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-15 08:43:13 UTC
amd64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-09-15 08:43:23 UTC
x86 stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-09-15 08:43:46 UTC
ppc stable
Comment 19 Agostino Sarubbo gentoo-dev 2013-09-15 08:43:56 UTC
ppc64 stable
Comment 20 Markus Meier gentoo-dev 2013-09-15 15:56:41 UTC
arm stable
Comment 21 Agostino Sarubbo gentoo-dev 2013-09-22 08:00:01 UTC
ia64 stable
Comment 22 Agostino Sarubbo gentoo-dev 2013-09-22 14:24:40 UTC
alpha stable
Comment 23 Jack Morgan (RETIRED) gentoo-dev 2013-09-23 04:39:09 UTC
Im able to reprdoduce bug 69976 on ppc64, see comment #19. I've update portage with ppc64 stable for openssl-1.0.1e and ~ppc64 for openssl-1.0.1e-r1
Comment 24 Agostino Sarubbo gentoo-dev 2013-09-28 20:44:30 UTC
SH is not anymore a stable arch, removing it from the cc list
Comment 25 Agostino Sarubbo gentoo-dev 2013-09-28 20:48:47 UTC
S390 is not anymore a stable arch, removing it from the cc list
Comment 26 Agostino Sarubbo gentoo-dev 2013-09-28 20:53:58 UTC
M68K is not anymore a stable arch, removing it from the cc list
Comment 27 Agostino Sarubbo gentoo-dev 2013-10-13 11:18:15 UTC
sparc stable
Comment 28 Sergey Popov gentoo-dev 2013-10-16 09:55:14 UTC
Added to existing GLSA draft.

@maintainers: cleanup, please
Comment 29 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-11-26 07:28:17 UTC
+  26 Nov 2013; Lars Wendler <> -openssl-0.9.8u.ebuild,
+  -openssl-0.9.8v.ebuild, -openssl-0.9.8w.ebuild, -openssl-0.9.8x.ebuild,
+  -openssl-1.0.0h.ebuild, -openssl-1.0.0i.ebuild, -openssl-1.0.1a.ebuild,
+  -openssl-1.0.1b.ebuild, -openssl-1.0.1c.ebuild, -openssl-1.0.1d.ebuild,
+  -openssl-1.0.1d-r1.ebuild, openssl-1.0.1e.ebuild,
+  -files/openssl-1.0.0d-alpha-fix-unalign.patch,
+  -files/openssl-1.0.0d-alpha-typo.patch,
+  -files/openssl-1.0.0e-pkg-config.patch, -files/openssl-1.0.1-ipv6.patch,
+  -files/openssl-1.0.1a-hmac-ia32cap.patch,
+  -files/openssl-1.0.1d-s3-packet.patch:
+  Removed old vulnerable versions. Removed all but ppc64 KEYWORDS from
+  openssl-1.0.1e.ebuild.

I hope I got all versions except of openssl-1.0.1e.ebuild which is the latest ebuild being stable for ppc64.
Comment 30 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:27:49 UTC
This issue was resolved and addressed in
 GLSA 201312-03 at
by GLSA coordinator Chris Reffett (creffett).