Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 497838 (CVE-2013-4353)

Summary: <dev-libs/openssl-1.0.1f: NULL pointer dereference (CVE-2013-4353)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 499086    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2014-01-11 22:47:43 UTC 
CVE-2013-4353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4353):
  The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f
  allows remote TLS servers to cause a denial of service (NULL pointer
  dereference and application crash) via a crafted Next Protocol Negotiation
  record in a TLS handshake.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-17 15:45:18 UTC 
Stable for HPPA.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-01-17 16:21:33 UTC 
Arches, please test and mark stable:

=dev-libs/openssl-1.0.1f

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
Comment 3 Pacho Ramos gentoo-dev 2014-01-18 19:08:07 UTC 
amd64 stable
Comment 4 Markus Meier gentoo-dev 2014-01-19 12:33:41 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-19 13:48:08 UTC 
alpha stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-20 15:59:59 UTC 
ppc stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2014-01-21 00:01:47 UTC 
x86 stable
Comment 8 Matt Turner gentoo-dev 2014-01-24 02:23:11 UTC 
1.0.1f doesn't compile on alpha. I've reverted the stabilization and added a blocking bug.
Comment 9 Matt Turner gentoo-dev 2014-01-25 23:12:07 UTC 
Guess we're going straight to stable.
Comment 10 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-26 01:37:06 UTC 
failed to compile for me. AMD64 hardened.

My guess is because I haven't compiled the kernel listed in /usr/src/linux

http://bpaste.net/show/172185/
Comment 11 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-26 01:46:40 UTC 
ignore me... migrate-pax -m...

Seems I need to update this system's kernel...
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:05 UTC 
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-26 11:57:10 UTC 
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-01-26 11:59:35 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-01-28 06:20:46 UTC 
GLSA Request Filed

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-02-21 15:35:23 UTC 
+  21 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -openssl-1.0.1e.ebuild,
+  -openssl-1.0.1e-r1.ebuild, -openssl-1.0.1e-r2.ebuild,
+  -openssl-1.0.1e-r3.ebuild, -files/openssl-1.0.1e-bad-mac-aes-ni.patch,
+  -files/openssl-1.0.1e-perl-5.18.patch,
+  -files/openssl-1.0.1e-rdrand-explicit.patch,
+  -files/openssl-1.0.1e-tls-ver-crash.patch:
+  Removed vulnerable versions (bug #497838).
+
Comment 17 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-21 15:36:20 UTC 
Cleanup done by Polynomial-C
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-02-21 16:08:29 UTC 
This issue was resolved and addressed in
 GLSA 201402-25 at http://security.gentoo.org/glsa/glsa-201402-25.xml
by GLSA coordinator Chris Reffett (creffett).