Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308011 (CVE-2009-3245) - <dev-libs/openssl-0.9.8n Multiple vulnerabilities (CVE-2009-3245,CVE-2010-{0433,0740})
Summary: <dev-libs/openssl-0.9.8n Multiple vulnerabilities (CVE-2009-3245,CVE-2010-{04...
Status: RESOLVED FIXED
Alias: CVE-2009-3245
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
: 308807 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-03-06 14:27 UTC by Stefan Behte (RETIRED)
Modified: 2011-10-09 15:37 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:27:35 UTC
CVE-2009-3245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3245):
  OpenSSL before 0.9.8m does not check for a NULL return value from
  bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2)
  crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4)
  engines/e_ubsec.c, which has unspecified impact and context-dependent
  attack vectors.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:28:16 UTC
base-system: please provide an updated ebuild.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-06 15:42:19 UTC
0.9.8m is already in tree, as per bug #306925.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:45:54 UTC
I'm going through all the bugs right now...adding another one.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:49 UTC
CVE-2010-0433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0433):
  The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before
  0.9.8n, when Kerberos is enabled but Kerberos configuration files
  cannot be opened, does not check a certain return value, which allows
  remote attackers to cause a denial of service (NULL pointer
  dereference and daemon crash) via SSL cipher negotiation, as
  demonstrated by a chroot installation of Dovecot or stunnel without
  Kerberos configuration files inside the chroot.

Comment 5 SpanKY gentoo-dev 2010-03-06 23:54:42 UTC
openssl-0.9.8n hasnt been released yet
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-03-12 11:09:58 UTC
*** Bug 308807 has been marked as a duplicate of this bug. ***
Comment 7 cilly 2010-03-12 11:47:40 UTC
rather marking dups, please stabilize openssl-0.9.8m
Comment 8 Bernd Marienfeldt 2010-03-12 11:53:27 UTC
(In reply to comment #7)
> rather marking dups, please stabilize openssl-0.9.8m
> 

Agreed. I would like to know why the stabilization is a problem ?
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-12 12:24:34 UTC
(In reply to comment #7)
> rather marking dups, please stabilize openssl-0.9.8m
> 

Cilly, don't file multiple bugs for the same issue(s).

The current m version does not have a fix for CVE-2010-0433.
If base-system provides an updated m reversion, we can stable that.
Patch is available at http://cvs.openssl.org/chngview?cn=19374
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-24 14:34:35 UTC
0.9.8n has been released today.
Comment 11 SpanKY gentoo-dev 2010-03-25 06:26:14 UTC
dev-libs/openssl-0.9.8n now in the tree
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-25 10:06:28 UTC
Thanks!

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8n
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-25 13:21:41 UTC
x86 stable
Comment 14 Andrew Savchenko gentoo-dev 2010-03-25 15:23:49 UTC
(In reply to comment #11)
> dev-libs/openssl-0.9.8n now in the tree

Should GLSA be issued then? I found this report only by accident and the CVE is very serious.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-25 15:50:17 UTC
(In reply to comment #14)
> Should GLSA be issued then? I found this report only by accident and the CVE is
> very serious.

Of course, as soon as it has been stabilised on all arches. (And as soon as we have sufficient manpower to actually write the GLSA :)
Comment 16 Jeroen Roovers gentoo-dev 2010-03-25 18:34:56 UTC
Stable for HPPA.
Comment 17 Jeroen Roovers gentoo-dev 2010-03-25 18:59:07 UTC
Stable for PPC.
Comment 18 Brent Baude (RETIRED) gentoo-dev 2010-03-26 14:03:01 UTC
ppc64 done
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2010-03-28 13:19:32 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 20 Markus Meier gentoo-dev 2010-03-29 21:49:25 UTC
amd64 stable, all arches done.
Comment 21 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-31 19:46:46 UTC
CVE-2010-0740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0740):
  The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
  through 0.9.8m allows remote attackers to cause a denial of service
  (crash) via a malformed record in a TLS connection that triggers a
  NULL pointer dereference, related to the minor version number.  NOTE:
  some of these details are obtained from third party information.

Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-31 11:11:23 UTC
Rerating.
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2010-05-31 11:13:21 UTC
GLSA request filed.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:21 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:22 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).