Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635586

Summary: dev-libs/openssl: out-of-bounds read creates crash
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: base-system, libressl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.novell.com/show_bug.cgi?id=1065363
Whiteboard: A3 [ebuild]
Package list:
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-10-27 14:55:52 UTC
openssl-1.0.2l and libressl-2.6.2 are susceptible to an out-of-bounds read and crashes. https://marc.info/?l=openbsd-tech&m=150906184009035&w=2
So observed on Tumbleweed, and therefore very likely affects 42.2, 42.3 and SLE as well.

openssl-1.1.0f has been found to not have the problem anymore.

References:

https://marc.info/?l=openbsd-tech&m=150906184009035&w=2
https://marc.info/?l=openbsd-tech&m=150906184009035&q=raw
https://github.com/openssl/openssl/commit/6493e4801e9edbe1ad1e256d4ce9cd55c8aa2242#diff-bf594638aca419f471dd119cd22da58f

@ Maintainer(s): Please confirm that the package is vulnerable to this bug, and advise on how you would like to proceed.
Comment 1 D'juan McDonald (domhnall) 2018-08-28 19:26:11 UTC
updated on 08/21/2018 via  commit fd5cf8ed

re:
Keywords for dev-libs/openssl:
                 |                           a     |           |  
                 |                           m     |           |  
                 |                           d   x |           |  
                 |                           6   8 |           |  
                 |                           4   6 |   u       |  
                 | a a   a     p           s |   | |   n       |  
                 | l m   r i   p   h m s   p f m f | e u s     | r
                 | p d a m a p c x p 6 3   a b i b | a s l     | e
                 | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o     | p
                 | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t     | o
-----------------+---------------------------------+-----------+-------
    0.9.8z_p8    | ~ + ~ o ~ ~ ~ + ~ ~ ~ ~ ~ o ~ ~ | 5 # 0.9.8 | gentoo
    0.9.8z_p8-r1 | ~ + ~ o ~ ~ ~ + ~ ~ ~ ~ ~ o ~ ~ | 6 o       | gentoo
-----------------+---------------------------------+-----------+-------
       1.0.2o-r3 | + + + + + + + + + + + + + ~ ~ ~ | 6 o 0     | gentoo
       1.0.2o-r6 | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 #       | gentoo
       1.0.2p    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 o       | gentoo
-----------------+---------------------------------+-----------+-------
    [M]1.1.0i    | ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ | 6 o 0/1.1 | gentoo
[M]1.1.1_pre8    | o o o o o o o o o o o o o o o o | 6 #       | gentoo
[M]1.1.1_pre9    | o o o o o o o o o o o o o o o o | 6 o       | gentoo


Keywords for dev-libs/libressl:
         |                           a     |          |  
         |                           m     |          |  
         |                           d   x |          |  
         |                           6   8 |          |  
         |                           4   6 |   u      |  
         | a a   a     p           s |   | |   n      |  
         | l m   r i   p   h m s   p f m f | e u s    | r
         | p d a m a p c x p 6 3   a b i b | a s l    | e
         | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o    | p
         | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t    | o
---------+---------------------------------+----------+-------
   2.6.4 | ~ + + ~ ~ + + + ~ o + o + o ~ o | 6 o 0/44 | gentoo
   2.6.5 | ~ + + ~ ~ ~ ~ + ~ o + o + o ~ o | 6 o      | gentoo
---------+---------------------------------+----------+-------
[M]2.7.3 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 # 0/45 | gentoo
[M]2.7.4 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 #      | gentoo
[M]2.8.0 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o o o ~ o ~ o | 6 o      | gentoo
 
dev-libs/openssl: bump to v1.1.1 pre release 9 (beta)
- openssl-1.0.2a-x32-asm.patch dropped which shouldn't be
  necessary anymore according to upstream [Link 1].

Link 1: https://rt.openssl.org/Ticket/Display.html?id=3759#txn-62605
Bug: https://bugs.gentoo.org/542618
Package-Manager: Portage-2.3.48, Repoman-2.3.10

Gentoo Security Padawan
(domhnall)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 19:00:18 UTC

*** This bug has been marked as a duplicate of bug 581234 ***