Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 194039 - dev-libs/openssl < 0.9.8e-r3 SSL_get_shared_ciphers() Off-by-One buffer underflow (CVE-2007-5135)
Summary: dev-libs/openssl < 0.9.8e-r3 SSL_get_shared_ciphers() Off-by-One buffer under...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: A2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-27 22:31 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-10 08:59 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
openssl-0.9.8e-r3.ebuild (openssl-0.9.8e-r3.ebuild.diff,461 bytes, patch)
2007-09-30 19:02 UTC, Joe Peterson (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-27 22:31:37 UTC
CVE-2007-5135:
  Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL
  0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary
  code via a crafted packet that triggers a one-byte buffer underflow.

According to Moritz Jodeit this is related to an improper fix for CVE-2006-3738.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-27 22:35:45 UTC
The patch to the OpenSSL_0_9_8-stable branch can be found here:
  http://cvs.openssl.org/chngview?cn=16587

base-system, please advise.
Comment 2 SpanKY gentoo-dev 2007-09-30 01:20:27 UTC
openssl-0.9.8e-r3 in the tree with the patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-30 01:33:01 UTC
Thanks, vapier.

Arches, please stabilize dev-libs/openssl-0.9.8e-r3
Targets are:"alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd ~sparc-fbsd"
BSD, you don't have keywords for any 0.9.8 version. Are you interested?
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2007-09-30 06:26:58 UTC
ppc64 stable
Comment 5 Joe Peterson (RETIRED) gentoo-dev 2007-09-30 07:08:52 UTC
For BDS: yes, definitely!  I'm trying to build 0.9.8e-r3 on BSD now, and I'll keyword it when successful.  BTW, it looks like system includes (previously installed by openssl) are being referenced during the build:

gmake[2]: Entering directory `/var/tmp/portage/dev-libs/openssl-0.9.8e-r3/work/openssl-0.9.8e/crypto/mdc2'
i686-gentoo-freebsd6.2-gcc -I.. -I../.. -I../../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -O2 -mtune=i686 -pipe -Wa,--noexecstack   -c -o mdc2dgst.o mdc2dgst.c
mdc2dgst.c:88: error: conflicting types for 'MDC2_Update'
/usr/include/openssl/mdc2.h:87: error: previous declaration of 'MDC2_Update' was here

Note that it's using /usr/include/openssl/mdc2.h...  I'll look at this more tomorrow, but even if the compile works, it should not be relying on old installs or using includes from them (could lead to insidious issues).
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-09-30 09:52:54 UTC
base-system, please have a look at comment #5.
Comment 7 SpanKY gentoo-dev 2007-09-30 09:59:11 UTC
completely unrelated and nothing new

there is already a different open bug on the topic
Comment 8 Markus Meier gentoo-dev 2007-09-30 13:46:40 UTC
x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-30 18:59:23 UTC
ppc stable
Comment 10 Joe Peterson (RETIRED) gentoo-dev 2007-09-30 19:02:48 UTC
Created attachment 132255 [details, diff]
openssl-0.9.8e-r3.ebuild

This ebuild patch fixes the "find" command that uses the "-lname" option.  This is a GNU option not available in BSD.

With this patch, we will be able to keyword x86-fbsd, and it appears to work.  I am hesitant to modify r3, however, since two archs have stabled, and this has not been tested on these (although it should work).  They really should check it again with this patch.  I can check this in as r4 - please advise.

SpanKY, BTW, your patch from bug #146316 fixed the BSD compile problem.  Thanks!
Comment 11 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2007-10-01 01:17:16 UTC
1. Emerges on SPARC.
2. No collisions.
3. Tests run fine.

(In reply to comment #10)
> Created an attachment (id=132255) [edit]
> openssl-0.9.8e-r3.ebuild

I've used the patch for testing 0.9.8e-r4.

Tested with:
dev-libs/openssl-0.9.8e-r3 (test)
dev-libs/openssl-0.9.8e-r3 (test zlib)
dev-libs/openssl-0.9.8e-r4 (test zlib)
dev-libs/openssl-0.9.8e-r4 (test)


emerge --info:
Portage 2.1.3.9 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.17-gentoo-r8 sparc64)
=================================================================
System uname: 2.6.17-gentoo-r8 sparc64 sun4u
Timestamp of tree: Sun, 30 Sep 2007 20:50:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protection distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/ http://trumpetti.tut.atm.fi/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://atl64.acores.pt/gentoo-portage"
USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 12 SpanKY gentoo-dev 2007-10-01 01:42:26 UTC
this bug is for stabilizing due to CVE-2007-5135, not for dumping random issues

file new bugs
Comment 13 Joshua Kinard gentoo-dev 2007-10-01 01:59:33 UTC
mips stable.
Comment 14 Joe Peterson (RETIRED) gentoo-dev 2007-10-01 02:21:59 UTC
OK, I will make a r4 version with the patch, and I'll file a new bug so we can keyword BSD.  Thanks to Jorge for testing my patch on sparc.
Comment 15 Joe Peterson (RETIRED) gentoo-dev 2007-10-01 06:13:36 UTC
Keyworded ~x86-fbsd
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2007-10-01 10:48:51 UTC
alpha/ia64/sparc stable, thanks Jorge Manuel
Comment 17 Roy Marples (RETIRED) gentoo-dev 2007-10-01 11:33:18 UTC
Keyworded ~sparc-fbsd.
Comment 18 Jeroen Roovers gentoo-dev 2007-10-01 13:06:10 UTC
Stable for HPPA.
Comment 19 Jonas Pedersen 2007-10-01 22:29:17 UTC
dev-libs/openssl-0.9.8e-r3  USE="(sse2) test zlib -bindist -emacs"

1. Emerges on AMD64. 
2. No collisions and passes tests etc. 
3. Have used it for a couple of hours with openssh. Both with pw auth and key auth. 

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Sun, 30 Sep 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 20 Jonas Pedersen 2007-10-01 22:29:29 UTC
dev-libs/openssl-0.9.8e-r3  USE="(sse2) test zlib -bindist -emacs"

1. Emerges on AMD64. 
2. No collisions and passes tests etc. 
3. Have used it for a couple of hours with openssh. Both with pw auth and key auth. 

Portage 2.1.3.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Sun, 30 Sep 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 21 Chris Gianelloni (RETIRED) gentoo-dev 2007-10-03 00:12:27 UTC
amd64 done, thanks Jonas
Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-03 13:05:54 UTC
Last supported arch done, please file a GLSA request.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-07 21:46:49 UTC
GLSA 200710-06