Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358783 (CVE-2011-1923) - <net-libs/polarssl-0.14.2: Man-in-the-Middle vulnerability (CVE-2011-1923)
Summary: <net-libs/polarssl-0.14.2: Man-in-the-Middle vulnerability (CVE-2011-1923)
Status: RESOLVED FIXED
Alias: CVE-2011-1923
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://polarssl.org/trac/wiki/Securit...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-14 03:49 UTC by Tim Sammut (RETIRED)
Modified: 2013-10-17 09:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Build log (polarssl-0.14.2:20110317-133602.log,9.96 KB, text/plain)
2011-03-17 13:43 UTC, Agostino Sarubbo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-14 03:49:47 UTC
From $URL:

By posing as a man in the middle and modifying packets as the secure communication is set-up it is possible for an attacker to force the calculation of a fully predictable Diffie Hellman secret.

The cipher suites that may be affected (depending on other variables) are:

    * SSL_EDH_RSA_DES_168_SHA
    * SSL_EDH_RSA_AES_128_SHA
    * SSL_EDH_RSA_AES_256_SHA
    * SSL_EDH_RSA_CAMELLIA_128_SHA
    * SSL_EDH_RSA_CAMELLIA_256_SHA 

In case full authentication (client and server certificates) is used, no man in the middle attack seems possible.
Comment 1 Thomas Sachau gentoo-dev 2011-03-16 21:13:59 UTC
polarssl-0.14.2 just added to main tree
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-17 10:25:31 UTC
Thank you. Arches, please stabilize =net-libs/polarssl-0.14.2
Comment 3 Agostino Sarubbo gentoo-dev 2011-03-17 13:43:12 UTC
Created attachment 266255 [details]
Build log

problem with test, but it compile
amd64 ok
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-03-17 21:18:23 UTC
x86 stable. No issues with build or tests.
Comment 5 Jeroen Roovers gentoo-dev 2011-03-18 01:27:52 UTC
(In reply to comment #3)
> Created attachment 266255 [details]
> Build log
> 
> problem with test, but it compile

Install and run the test suite again.

Stable for HPPA.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-20 18:46:15 UTC
ppc/ppc64 stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-03-21 11:42:18 UTC
amd64 done. Thanks Agostino
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-03-21 14:25:14 UTC
Thanks, folks. GLSA Vote: yes.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:30:36 UTC
Vote: YES. New GLSA request filed.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-09 17:18:15 UTC
Please punt vulnerable versions.
Comment 11 Thomas Sachau gentoo-dev 2011-10-09 18:13:10 UTC
(In reply to comment #10)
> Please punt vulnerable versions.

done
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:31:57 UTC
CVE-2011-1923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1923):
  The Diffie-Hellman key-exchange implementation in dhm.c in PolarSSL before
  0.14.2 does not properly validate a public parameter, which makes it easier
  for man-in-the-middle attackers to obtain the shared secret key by modifying
  network traffic, a related issue to CVE-2011-5095.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-10-17 09:03:24 UTC
This issue was resolved and addressed in
 GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).