Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 322575 - <dev-libs/openssl-0.9.8o: CMS structures containing OriginatorInfo mishandled (CVE-2010-{0742,1633})
Summary: <dev-libs/openssl-0.9.8o: CMS structures containing OriginatorInfo mishandled...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.openssl.org/news/secadv_20...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-03 11:20 UTC by Tobias Heinlein (RETIRED)
Modified: 2011-10-09 15:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:20:39 UTC
See $URL.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:21:53 UTC
Rating as B as CMS is disabled by default.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-03 11:22:39 UTC
Arches, please test and mark stable:
=dev-libs/openssl-0.9.8o
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-03 14:31:17 UTC
x86 stable
Comment 4 Jeroen Roovers gentoo-dev 2010-06-03 18:05:34 UTC
Stable for HPPA.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-04 13:06:53 UTC
CC'ing maintainer..
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-05 18:13:12 UTC
CVE-2010-0742 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0742):
  The Cryptographic Message Syntax (CMS) implementation in
  crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a
  does not properly handle structures that contain OriginatorInfo,
  which allows context-dependent attackers to modify invalid memory
  locations or conduct double-free attacks, and possibly execute
  arbitrary code, via unspecified vectors.

CVE-2010-1633 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1633):
  RSA verification recovery in the EVP_PKEY_verify_recover function in
  OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other
  applications, returns uninitialized memory upon failure, which might
  allow context-dependent attackers to bypass intended key requirements
  or obtain sensitive information via unspecified vectors.  NOTE: some
  of these details are obtained from third party information.

Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-06-07 05:04:45 UTC
Marked ppc/ppc64 stable.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-07 21:53:21 UTC
CVE-2010-0742: CMS bisabled by default
CVE-2010-1633: only present in 1.x (we only have it masked)

-> Rerating C
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-08 15:09:12 UTC
(In reply to comment #8)
> CVE-2010-0742: CMS bisabled by default
> CVE-2010-1633: only present in 1.x (we only have it masked)
> 
> -> Rerating C
> 

That's why I rated it as B, otherwise it would have been A.
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-08 20:36:05 UTC
base-system: It appears that our 0.x ebuilds do not allow to build with CMS. Please confirm this.
Comment 11 SpanKY gentoo-dev 2010-06-08 20:49:42 UTC
sounds about right.  ive never added a USE flag for it, so our default should match the upstream default.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-06-20 18:00:41 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 13 Markus Meier gentoo-dev 2010-06-21 20:44:03 UTC
amd64 stable, all arches done.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-09-07 19:03:07 UTC
GLSA with bug 303739 and bug 308011.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:28 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:28 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).