Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 551832 (CVE-2014-8176)

Summary: <dev-libs/openssl-{0.9.8z_p7,1.0.1o}: multiple vulnerabilities (CVE-2014-8176,CVE-2015-{1788,1789,1790,1791,1792,4000})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: adrian, base-system, hanno
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://openssl.org/news/secadv_20150611.txt
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-11 21:09:41 UTC 
From URL (summaries):
----
-2015-4000: A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam (CVE-2015-4000). [affects; 

-2015-1788: When processing an ECParameters structure OpenSSL enters an infinite loop if
the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.  This includes TLS clients and TLS servers with client authentication enabled.

-2015-1789: X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition,X509_cmp_time accepts an arbitrary number of fractional seconds in the time string.

-2015-1790: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing.

-2015-1792: When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.

-2015-1791: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.

-2014-8176: If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a segmentation fault or potentially, memory corruption. [fixed in 'm', so doesn't affect us?]
----

Affected versions: < 1.0.2b, <1.0.1n.
1.0.2a and 1.0.1m are vulnerable, and 1.0.2b and 1.0.2b need to be stabilized.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2015-06-12 07:13:54 UTC 
ABI breakage reported here:
http://marc.info/?l=openssl-dev&m=143407129721271&w=2
Comment 2 SpanKY gentoo-dev 2015-06-12 07:27:27 UTC 
the versions are in the tree, but the ABI issue is there, so need to wait for upstream to sort that before we stabilize
Comment 3 Hanno Böck gentoo-dev 2015-06-12 16:00:31 UTC 
1.0.2c and 1.0.1o are now out and reverse the ABI breakage.
Comment 4 SpanKY gentoo-dev 2015-06-12 16:14:38 UTC 
openssl-0.9.8zg wasn't impacted by the ABI issue.  upstream has made new releases and those are in the tree.

so stabilization targets:
  openssl-0.9.8zg
  openssl-1.0.1o
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-12 16:27:34 UTC 
Thanks,

Arches, please stabilize:
=dev-libs/openssl-0.9.8z_p7
Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86

=dev-libs/openssl-1.0.1o
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-13 04:45:15 UTC 
(In reply to Kristian Fiskerstrand from comment #5)
> Thanks,
> 
> Arches, please stabilize:
> =dev-libs/openssl-0.9.8z_p7
> Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86

Why do you keep doing that? I'm pretty sure most of those don't need the old branch.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-06-13 06:03:16 UTC 
CVE-2015-4000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000):
  The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled
  on a server but not on a client, does not properly convey a DHE_EXPORT
  choice, which allows man-in-the-middle attackers to conduct cipher-downgrade
  attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then
  rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam"
  issue.

CVE-2015-1792 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1792):
  The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before
  0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b
  allows remote attackers to cause a denial of service (infinite loop) via
  vectors that trigger a NULL value of a BIO data structure, as demonstrated
  by an unrecognized X.660 OID for a hash function.

CVE-2015-1791 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1791):
  Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c
  in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and
  1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote
  attackers to cause a denial of service (double free and application crash)
  or possibly have unspecified other impact by providing a NewSessionTicket
  during an attempt to reuse a ticket that had been obtained earlier.

CVE-2015-1790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1790):
  The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before
  0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via a PKCS#7 blob that uses ASN.1
  encoding and lacks inner EncryptedContent data.

CVE-2015-1789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1789):
  The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before
  0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b
  allows remote attackers to cause a denial of service (out-of-bounds read and
  application crash) via a crafted length field in ASN1_TIME data, as
  demonstrated by an attack against a server that supports client
  authentication with a custom verification callback.

CVE-2015-1788 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1788):
  The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before
  0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b
  does not properly handle ECParameters structures in which the curve is over
  a malformed binary polynomial field, which allows remote attackers to cause
  a denial of service (infinite loop) via a session that uses an Elliptic
  Curve algorithm, as demonstrated by an attack against a server that supports
  client authentication.

CVE-2014-8176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8176):
  The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za,
  1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without
  considering that application data can arrive between a ChangeCipherSpec
  message and a Finished message, which allows remote DTLS peers to cause a
  denial of service (memory corruption and application crash) or possibly have
  unspecified other impact via unexpected application data.
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-13 09:10:40 UTC 
amd64 stable
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-13 09:37:20 UTC 
(In reply to Jeroen Roovers from comment #6)
> (In reply to Kristian Fiskerstrand from comment #5)
> > Thanks,
> > 
> > Arches, please stabilize:
> > =dev-libs/openssl-0.9.8z_p7
> > Stable targets: alpha amd64 arm ia64 ppc ppc64 sparc x86
> 
> Why do you keep doing that? I'm pretty sure most of those don't need the old
> branch.

Arches are free to drop stable support for a slot if there is no dependency on it, however a security bug is not the place to do so. As long as the slot has visible stable versions, we'll continue calling stabilization on it.
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-13 10:27:05 UTC 
x86 stable
Comment 11 Anthony Basile gentoo-dev 2015-06-13 12:11:43 UTC 
stable for ppc and ppc64.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-13 18:39:39 UTC 
arm stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-14 08:23:33 UTC 
Stable for HPPA.
Comment 14 Agostino Sarubbo gentoo-dev 2015-06-17 08:59:04 UTC 
sparc stable
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-17 19:10:23 UTC 
ia64 stable
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-21 16:31:13 UTC 
alpha stable
Comment 17 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-21 18:20:03 UTC 
New GLSA request filed
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-06-22 02:34:50 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-06-22 12:40:53 UTC 
This issue was resolved and addressed in
 GLSA 201506-02 at https://security.gentoo.org/glsa/201506-02
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 20 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-22 12:42:10 UTC 
Re-opening for cleanup
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-08-04 14:38:17 UTC 
Ping on cleanup.
Comment 22 Yury German Gentoo Infrastructure gentoo-dev 2015-09-08 05:46:22 UTC 
Maintainer(s), Thank you for you for cleanup.