Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 332027 (CVE-2010-2939) - <dev-libs/openssl-1.0.0a-r3: double free error (CVE-2010-2939)
Summary: <dev-libs/openssl-1.0.0a-r3: double free error (CVE-2010-2939)
Status: RESOLVED FIXED
Alias: CVE-2010-2939
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://marc.info/?t=128118169100001&r...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 330437
Blocks:
  Show dependency tree
 
Reported: 2010-08-10 12:10 UTC by Hanno Böck
Modified: 2011-10-09 15:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2010-08-10 12:10:57 UTC
There's a double free error in openssl 1.0.0a, it seems it does not affect 0.9.*. See:
http://marc.info/?t=128118169100001&r=1&w=2

Patch is at
http://marc.info/?l=openssl-dev&m=128128256314328&w=2

No upstream update yet.
Comment 1 Samuli Suominen gentoo-dev 2010-08-10 21:05:10 UTC
+*openssl-1.0.0a-r1 (10 Aug 2010)
+
+  10 Aug 2010; Samuli Suominen <ssuominen@gentoo.org>
+  +openssl-1.0.0a-r1.ebuild, +files/openssl-1.0.0a-fix-double-free.patch,
+  +files/openssl-1.0.0a-ldflags.patch:
+  Use environment LDFLAGS wrt #327421 by Olivier Huber. Fix double free wrt
+  #332027 by Hanno Boeck.

Since it's only ~arch, close as FIXED ?
Comment 2 SpanKY gentoo-dev 2010-08-10 21:07:07 UTC
yes, security does not track ~arch
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 21:16:30 UTC
Just fixing the whiteboard…
Comment 4 Hanno Böck gentoo-dev 2010-08-12 17:03:17 UTC
According to a post on oss-security, this is also an issue in 0.9.8:
http://article.gmane.org/gmane.comp.security.oss.general/3298
Comment 5 SpanKY gentoo-dev 2010-08-14 05:53:56 UTC
ive added the patch to openssl-0.9.8o-r2, so that i imagine should see some testing and a stable push (if someone wants to update the whiteboard)
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 22:31:05 UTC
CVE-2010-2939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2939):
  Double free vulnerability in the ssl3_get_key_exchange function in
  the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7,
  and possibly other versions, when using ECDH, allows
  context-dependent attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a crafted private key with an
  invalid prime.  NOTE: some sources refer to this as a use-after-free
  issue.

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-09-07 19:10:50 UTC
Sorry about the delay.

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8o-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-08 10:37:11 UTC
How much work has been put into making sure that OpenSSL 1.0.0 works with the stable tree?  Samuli, I think you invested most time into this thingie.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-08 10:51:58 UTC
(In reply to comment #8)
> How much work has been put into making sure that OpenSSL 1.0.0 works with the
> stable tree?  Samuli, I think you invested most time into this thingie.

 Forget about this comment.  But: This blocker is somehow fatal, as an unmerge of the old OpenSSL leads to wget not working anymore, which makes an update impossible.  Is there a known workaround?  I tried porting to EAPI 2 for the new blocker syntax, but that did not work out here.

USE="gmp kerberos sse2" gatt -w 332027 =dev-libs/openssl-0.9.8o-r2
+m+ resolving masked dependencies...
+m+ executing 'FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts'...
+m+ waiting for "FEATURES="collision-protect test" /usr/bin/emerge -pq =dev-libs/openssl-0.9.8o-r2 --ignore-default-opts"...
[ebuild  NS   ] dev-libs/openssl-0.9.8o-r2 [0.9.8o]
[blocks B     ] =dev-libs/openssl-0.9.8*:0 ("=dev-libs/openssl-0.9.8*:0" is blocking dev-libs/openssl-0.9.8o-r2)

 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  ('installed', '/', 'dev-libs/openssl-0.9.8o', 'nomerge') pulled in by
    >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-server-6.1.1', 'nomerge')
    >=dev-libs/openssl-0.9.7i:0 required by ('installed', '/', 'dev-db/virtuoso-odbc-6.1.1', 'nomerge')

  ('ebuild', '/', 'dev-libs/openssl-0.9.8o-r2', 'merge') pulled in by
    dev-libs/openssl required by ('installed', '/', 'media-video/gpac-0.4.5-r1', 'nomerge')
    dev-libs/openssl required by ('installed', '/', 'net-fs/netatalk-2.0.5-r1', 'nomerge')
    dev-libs/openssl required by ('installed', '/', 'dev-lang/python-3.1.2-r4', 'nomerge')
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2010-09-08 11:35:59 UTC
encfs-1.7.2 fails to configure with 0.9.8o-r2 but it works with 0.9.8o. I wonder if there are more packages that fail with this version of openssl. 
Comment 11 Samuli Suominen gentoo-dev 2010-09-08 12:00:37 UTC
SLOT="0.9.8" of openssl-0.9.8* is not ready yet. SLOT="0" of openssl-1.0.0* is not ready yet.
I don't know why arch's are in CC here, I don't see anything that's ready to be stabilized from this bug yet.
Bug 330437 tracks the future OpenSSL 1.0.0 stabilization, arch's are not CCd in there yet for a purpose.
Comment 12 Samuli Suominen gentoo-dev 2010-10-04 19:32:00 UTC
The stabilization is now proceeding in bug 330437.
Comment 13 Samuli Suominen gentoo-dev 2010-10-07 12:00:51 UTC
Adding arch's back so they know this is a security issue:

See bug 330437 for stabilization.
Comment 14 Jeroen Roovers gentoo-dev 2010-10-07 15:48:11 UTC
Stable for HPPA PPC.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-10-10 18:37:26 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-11 07:08:08 UTC
x86 stable, last arch.  Updated whiteboard to GLSA request.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-13 04:01:33 UTC
This will get a GLSA together with #303739 #308011 and #322575.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:34 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 15:37:34 UTC
This issue was resolved and addressed in
 201110-01 at http://security.gentoo.org/glsa/glsa-201110-01.xml
by GLSA coordinator Tobias Heinlein (keytoaster).