270305 – (CVE-2009-1377) <dev-libs/openssl-0.9.8l DTLS Denial of Service (CVE-2009-{1377,1378,1379,1387})

Bug 270305 (CVE-2009-1377) - <dev-libs/openssl-0.9.8l DTLS Denial of Service (CVE-2009-{1377,1378,1379,1387})

Summary: <dev-libs/openssl-0.9.8l DTLS Denial of Service (CVE-2009-{1377,1378,1379,1387})

Status:	RESOLVED FIXED

Alias:	CVE-2009-1377

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa]
Keywords:

Depends on:	292022
Blocks:
	Show dependency tree

Reported:	2009-05-18 14:53 UTC by Robert Buchholz (RETIRED)
Modified:	2009-12-01 21:34 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
openssl-0.9.8-CVE-2009-1377.patch (openssl-0.9.8-CVE-2009-1377.patch,1.53 KB, patch) 2009-05-18 14:54 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
openssl-0.9.8-CVE-2009-1378.patch (openssl-0.9.8-CVE-2009-1378.patch,894 bytes, patch) 2009-05-18 14:54 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
openssl-0.9.8-CVE-2009-1379.patch (openssl-0.9.8-CVE-2009-1379.patch,662 bytes, patch) 2009-05-24 16:59 UTC, Alex Legler (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 14:53:24 UTC

Two vulnerabilities have been reported in OpenSSL 0.9.8 and later that can lead to a Denial of Service in DTLS-enabled daemons:

CVE-2009-1377 epoch record buffer memory DoS

        http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
        http://marc.info/?l=openssl-dev&m=124247675613888&w=2
        http://cvs.openssl.org/chngview?cn=18187

CVE-2009-1378 DTLS fragment handling memory DoS

        http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
        http://marc.info/?t=124250665500033&r=1&w=2
        http://cvs.openssl.org/chngview?cn=18188

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 14:54:01 UTC

Created attachment 191674 [details, diff]
openssl-0.9.8-CVE-2009-1377.patch

openssl-0.9.8-CVE-2009-1377.patch as applied in CVS.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-05-18 14:54:42 UTC

Created attachment 191677 [details, diff]
openssl-0.9.8-CVE-2009-1378.patch

openssl-0.9.8-CVE-2009-1378.patch backport as proposed in the bug report.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-05-19 08:46:31 UTC

http://thread.gmane.org/gmane.comp.security.oss.general/1769/focus=1772

Comment 4 Alex Legler (RETIRED) archtester

2009-05-19 21:26:32 UTC

CVE-2009-1377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1377):
  The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k
  and earlier 0.9.8 versions allows remote attackers to cause a denial
  of service (memory consumption) via a large series of "future epoch"
  DTLS records that are buffered in a queue, aka "DTLS record buffer
  limitation bug."

CVE-2009-1378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1378):
  Multiple memory leaks in the dtls1_process_out_of_seq_message
  function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8
  versions allow remote attackers to cause a denial of service (memory
  consumption) via DTLS records that (1) are duplicates or (2) have
  sequence numbers much greater than current sequence numbers, aka
  "DTLS fragment handling memory leak."

Comment 5 Hanno Böck gentoo-dev

2009-05-20 09:10:38 UTC

CVE-2009-1379:
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.

Comment 6 Alex Legler (RETIRED) archtester

2009-05-24 16:59:07 UTC

Created attachment 192323 [details, diff]
openssl-0.9.8-CVE-2009-1379.patch

Patch for CVE-2009-1379 as applied to CVS.

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2009-06-12 21:42:18 UTC

CVE-2009-1387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1387):
  The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in
  OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial
  of service (NULL pointer dereference and daemon crash) via an
  out-of-sequence DTLS handshake message, related to a "fragment bug."

Comment 8 Stefan Behte (RETIRED) gentoo-dev

2009-06-12 21:42:43 UTC

Patch at: http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest

Comment 9 SpanKY gentoo-dev

2009-11-05 20:07:00 UTC

ive added 0.9.8l with the patches for 137{7,8,9}, and 1387 seems to already be included

Comment 10 Alex Legler (RETIRED) archtester

2009-11-05 22:31:18 UTC

Stabilization via bug 292022.

Comment 11 SpanKY gentoo-dev

2009-11-21 03:09:47 UTC

CVE-2009-1387 wasnt in the 0.9.8l release, so i added it to 0.9.8l-r1

Comment 12 Alex Legler (RETIRED) archtester

2009-12-01 21:34:36 UTC

GLSA 200912-01