Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 543552 (CVE-2015-0204)

Summary: <dev-libs/openssl-{0.9.8z_p5-r1,1.0.1l-r1}: Multiple vulnerabilities (CVE-2015-{0204,0207,0208,0209,0285,0286,0287,0288,0289,0290,0291,0292,0293,1787})
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ago, gentoo, hanno, kfm, k_f, mschiff, polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://openssl.org/news/secadv_20150319.txt
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Tobias Heinlein (RETIRED) gentoo-dev 2015-03-16 21:36:53 UTC
On March 19th 2015 the OpenSSL team will release updated versions of
OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.02 that fix several security issues.


Lars is going to prepare patched ebuilds.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2015-03-16 21:43:39 UTC
Note that the worst issues only affect OpenSSL 1.0.2 which is not stable on Gentoo.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2015-03-17 12:29:53 UTC
*** Bug 543600 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2015-03-19 09:35:26 UTC
*** Bug 543766 has been marked as a duplicate of this bug. ***
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-19 09:36:31 UTC
CCing ago, getting ready for rapid stabilization as soon as new ebuilds are in tree.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2015-03-19 14:14:34 UTC
Public via http://openssl.org/news/secadv_20150319.txt.
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-19 14:28:37 UTC
+*openssl-1.0.2-r3 (19 Mar 2015)
+*openssl-1.0.1l-r1 (19 Mar 2015)
+
+  19 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  +openssl-1.0.1l-r1.ebuild, +openssl-1.0.2-r3.ebuild,
+  +files/openssl-1.0.1l-CVE-2015-0286.patch,
+  +files/openssl-1.0.2-CVE-2015-0291.patch:
+  Security bump (bug #543552).
+

0.9.8z_p5-r1 will take a bit longer due to massive refactoring of the patch.
Comment 8 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-19 15:10:40 UTC
+*openssl-0.9.8z_p5-r1 (19 Mar 2015)
+
+  19 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  +openssl-0.9.8z_p5-r1.ebuild, +files/openssl-0.9.8ze-CVE-2015-0286.patch:
+  Security bump (bug #543552).
+


(In reply to Zoltán Halassy from comment #7)
> New upstream versions are available now too:
> 
> https://www.openssl.org/source/
> https://www.openssl.org/source/openssl-0.9.8zf.tar.gz
> https://www.openssl.org/source/openssl-1.0.0r.tar.gz
> https://www.openssl.org/source/openssl-1.0.1m.tar.gz
> https://www.openssl.org/source/openssl-1.0.2a.tar.gz

Upstram completely refactored their code so we need to adjust our patches first. Backporting the security patches was faster.
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-19 17:06:43 UTC
Stable for alpha/amd64/arm/ia64/ppc/ppc64/s390/sh/sparc/x86
Comment 10 Hanno Böck gentoo-dev 2015-03-19 17:28:28 UTC
the openssl advisory mentions 14 vulns, the current 1.0.2-r3 ebuild only patches one as far as I can see (judging from the patch names).
Are the other vulns all patched? I understand it was faster to backport the patches, but I would feel more comfortable if we could quickly move to the upstream releases. (On the medium term it would probably be a good idea to upstream more of the gentoo-specific patches.)
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-19 17:30:25 UTC
(In reply to Hanno Boeck from comment #10)
> the openssl advisory mentions 14 vulns, the current 1.0.2-r3 ebuild only
> patches one as far as I can see (judging from the patch names).
> Are the other vulns all patched? I understand it was faster to backport the
> patches, but I would feel more comfortable if we could quickly move to the
> upstream releases. (On the medium term it would probably be a good idea to
> upstream more of the gentoo-specific patches.)

Yes, all the vulns are patched. ebuilds for the new upstream releases are being worked on but treated outside of this security bug
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-19 17:37:56 UTC
Stable for HPPA.
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-19 18:15:19 UTC
*** Bug 541502 has been marked as a duplicate of this bug. ***
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-19 18:15:31 UTC
*** Bug 542038 has been marked as a duplicate of this bug. ***
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-03-19 19:13:02 UTC
This issue was resolved and addressed in
 GLSA 201503-11 at https://security.gentoo.org/glsa/201503-11
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 16 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-19 19:13:26 UTC
Reopening for cleanup
Comment 17 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-03-19 20:47:16 UTC
+*openssl-1.0.2a (19 Mar 2015)
+*openssl-1.0.1m (19 Mar 2015)
+*openssl-1.0.0r (19 Mar 2015)
+*openssl-0.9.8z_p6 (19 Mar 2015)
+
+  19 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -openssl-0.9.8z_p1-r2.ebuild, -openssl-0.9.8z_p2.ebuild,
+  -openssl-0.9.8z_p3.ebuild, -openssl-0.9.8z_p4.ebuild,
+  -openssl-0.9.8z_p5.ebuild, +openssl-0.9.8z_p6.ebuild, -openssl-1.0.0q.ebuild,
+  +openssl-1.0.0r.ebuild, -openssl-1.0.1j.ebuild, -openssl-1.0.1k.ebuild,
+  -openssl-1.0.1l.ebuild, +openssl-1.0.1m.ebuild, -openssl-1.0.2-r1.ebuild,
+  -openssl-1.0.2-r2.ebuild, +openssl-1.0.2a.ebuild,
+  -files/openssl-1.0.0e-x32.patch, +files/openssl-1.0.0r-x32.patch,
+  +files/openssl-1.0.1m-ipv6.patch, +files/openssl-1.0.1m-parallel-build.patch,
+  +files/openssl-1.0.1m-s_client-verify.patch, +files/openssl-1.0.1m-x32.patch,
+  +files/openssl-1.0.2a-parallel-build.patch:
+  Version bump. Removed old.
+
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-19 20:50:00 UTC
Thanks Lars! Closed.
Comment 19 Rolf Eike Beer archtester 2015-03-20 21:13:02 UTC
Ok, nice, upstream released 1.0.1m (M!) and 1.0.1l (L) has been marked stable, which only added build fixes for some obscure archs. The NSA is proud of you ;)
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2015-03-20 22:57:52 UTC
(In reply to Rolf Eike Beer from comment #19)
> Ok, nice, upstream released 1.0.1m (M!) and 1.0.1l (L) has been marked
> stable, which only added build fixes for some obscure archs. The NSA is
> proud of you ;)

Rolf Eike, sorry to disappoint you, but we backported the patches for 1.0.1m to 1.0.1l-r1 (note "revision 1") before the new release was even public. Feel free to look at the actual ebuilds and patches.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:11:43 UTC
CVE-2015-1787 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1787):
  The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2
  before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman
  ciphersuite are enabled, allows remote attackers to cause a denial of
  service (daemon crash) via a ClientKeyExchange message with a length of
  zero.

CVE-2015-0293 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0293):
  The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
  1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to
  cause a denial of service (s2_lib.c assertion failure and daemon exit) via a
  crafted CLIENT-MASTER-KEY message.

CVE-2015-0292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0292):
  Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in
  the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before
  1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of
  service (memory corruption) or possibly have unspecified other impact via
  crafted base64 data that triggers a buffer overflow.

CVE-2015-0291 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0291):
  The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  daemon crash) by using an invalid signature_algorithms extension in the
  ClientHello message during a renegotiation.

CVE-2015-0290 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0290):
  The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in
  OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does
  not properly handle certain non-blocking I/O cases, which allows remote
  attackers to cause a denial of service (pointer corruption and application
  crash) via unspecified vectors.

CVE-2015-0289 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0289):
  The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,
  1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack
  of outer ContentInfo, which allows attackers to cause a denial of service
  (NULL pointer dereference and application crash) by leveraging an
  application that processes arbitrary PKCS#7 data and providing malformed
  data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and
  crypto/pkcs7/pk7_lib.c.

CVE-2015-0288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0288):
  The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before
  0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a
  might allow attackers to cause a denial of service (NULL pointer dereference
  and application crash) via an invalid certificate key.

CVE-2015-0287 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0287):
  The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before
  0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a
  does not reinitialize CHOICE and ADB data structures, which might allow
  attackers to cause a denial of service (invalid write operation and memory
  corruption) by leveraging an application that relies on ASN.1 structure
  reuse.

CVE-2015-0286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0286):
  The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before
  0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a
  does not properly perform boolean-type comparisons, which allows remote
  attackers to cause a denial of service (invalid read operation and
  application crash) via a crafted X.509 certificate to an endpoint that uses
  the certificate-verification feature.

CVE-2015-0285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0285):
  The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a
  does not ensure that the PRNG is seeded before proceeding with a handshake,
  which makes it easier for remote attackers to defeat cryptographic
  protection mechanisms by sniffing the network and then conducting a
  brute-force attack.

CVE-2015-0209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0209):
  Use-after-free vulnerability in the d2i_ECPrivateKey function in
  crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1
  before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause
  a denial of service (memory corruption and application crash) or possibly
  have unspecified other impact via a malformed Elliptic Curve (EC)
  private-key file that is improperly handled during import.

CVE-2015-0208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0208):
  The ASN.1 signature-verification implementation in the rsa_item_verify
  function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  application crash) via crafted RSA PSS parameters to an endpoint that uses
  the certificate-verification feature.

CVE-2015-0207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0207):
  The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does
  not properly isolate the state information of independent data streams,
  which allows remote attackers to cause a denial of service (application
  crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a
  DTLS 1.2 server.