** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** OpenSSL Security Advisory [07-Jan-2009] Incorrect checks for malformed signatures ------------------------------------------- Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS. One way to exploit this flaw would be for a remote attacker who is in control of a malicious server or who can use a 'man in the middle' attack to present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation. This vulnerability is tracked as CVE-2008-5077. The OpenSSL security team would like to thank the Google Security Team for reporting this issue. Who is affected? ----------------- Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Use of OpenSSL as an SSL/TLS client when connecting to a server whose certificate uses an RSA key is NOT affected. Verification of client certificates by OpenSSL servers for any key type is NOT affected. Recommendations for users of OpenSSL ------------------------------------ Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue. The patch used is also appended to this advisory for users or distributions who wish to backport this patch to versions they build from source. Please note: this patch also includes fixes for a few other cases where return codes are not correctly checked, but these do not have a security implication Recommendations for projects using OpenSSL ------------------------------------------ Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled. As documented, this function returns 1 for a successful verification, 0 for failure, and -1 for an error. General recommendations ----------------------- Any SSL/TLS server with clients that OpenSSL to verify DSA or ECDSA certificates, regardless of the software used by the server, should either ensure that all clients are upgraded or should stop using DSA/ECDSA certificates. Note that unless certificates are revoked (and clients check for revocation) impersonation will still be possible until the certificate expires.
Created attachment 175631 [details, diff] openssl-0.9.8i-CVE-2008-5077.patch Please prepare an ebuild applying this patch and attach it to the bug, we'll handle prestable testing here. Do not commit anything to CVS.
This is now public via http://openssl.org/news/secadv_20090107.txt. Please apply the patch in the tree.
Created attachment 177699 [details] openssl-0.9.8j.ebuild
Created attachment 177700 [details, diff] openssl-0.9.8j-parallel-build.patch
(Still broken for parallel building, please wait for an updated ebuild)
+*openssl-0.9.8j (08 Jan 2009) + + 08 Jan 2009; Peter Alfredsen <loki_val@gentoo.org> + +files/openssl-0.9.8j-parallel-build.patch, +openssl-0.9.8j.ebuild: + Bump, bug 254183 and CVE-2008-5077, bug 251346. Parallel build fails + horribly, forcing -j1. Since we don't install fips, sedded that part out + of the root makefile to get around a build failure. +
Arches, please test and mark stable: =dev-libs/openssl-0.9.8j Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
ppc and ppc64 done
alpha/sparc/x86 stable, need to look at ia64 test failure...
amd64 stable
request filed
GLSA 200902-02
arm/m68k/s390/sh were done, and ia64 stable now :)