Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 406199 (CVE-2006-7250) - <dev-libs/openssl-{0.9.8u,1.0.0h}: Multiple Vulnerabilities (CVE-2006-7250,CVE-2012-{0884,1165})
Summary: <dev-libs/openssl-{0.9.8u,1.0.0h}: Multiple Vulnerabilities (CVE-2006-7250,CV...
Status: RESOLVED FIXED
Alias: CVE-2006-7250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/48153/
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-28 18:34 UTC by Michael Harrison
Modified: 2013-12-03 04:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-02-28 18:34:46 UTC
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library.

The vulnerability is caused due to a NULL-pointer dereference error in the "mime_hdr_cmp()" function (crypto/asn1/asn_mime.c) when parsing certain MIME headers and can be exploited to cause a crash.

The vulnerability is reported in versions 0.9.7i, 0.9.8t, and 1.0.0g. Other versions may also be affected.

Solution
Fixed in the CVS repository.

Provided and/or discovered by
Reported by Mats Nilsson to the openssl-dev mailing list.

Original Advisory
Mats Nilsson:
http://marc.info/?l=openssl-dev&m=115685408414194&w=2

OpenSSL:
http://cvs.openssl.org/chngview?cn=22144
Comment 1 Michael Harrison 2012-02-28 23:22:32 UTC
Sorry guys, this is not my fault.

> Ok did some more research and here's what we got:
>
> First mention of this bug is in 2006:
>
> http://marc.info/?l=openssl-dev&m=115685408414194&w=2
>
> So please use CVE-2006-7248 for this issue.

Due to the Novell/kadu miss-paste this CVE needs to be re-issued. Please
use CVE-2006-7250 for this OpenSSL issue.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-29 21:10:03 UTC
CVE-2006-7250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7250):
  The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and
  earlier allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via a crafted S/MIME message.
Comment 3 SpanKY gentoo-dev 2012-03-12 18:01:46 UTC
openssl 1.0.0h and 0.9.8u now in the tree which should fix this
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-03-12 21:28:30 UTC
Looks like this is relevant too:

OpenSSL Security Advisory [12 Mar 2012]
=======================================

CMS and S/MIME Bleichenbacher attack (CVE-2012-0884)
====================================================

A weakness in the OpenSSL CMS and PKCS #7 code can be exploited
using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA).

Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A
successful attack needs on average 2^20 messages. In practice only automated
systems will be affected as humans will not be willing to process this many
messages.

SSL/TLS applications are *NOT* affected by this problem since the 
SSL/TLS code does not use the PKCS#7 or CMS decryption code. 

Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this weakness.

The fix was developed by Stephen Henson of the OpenSSL core team.

Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u.

References
==========

RFC3218

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120312.txt
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-12 21:29:59 UTC
Arches, please test and mark stable:
=dev-libs/openssl-1.0.0h
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-0.9.8u
Target keywords : "amd64 x86"
Comment 6 Jeroen Roovers gentoo-dev 2012-03-13 11:26:58 UTC
Stable for HPPA.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2012-03-13 13:23:42 UTC
ppc and ppc64 done
Comment 8 Agostino Sarubbo gentoo-dev 2012-03-13 14:23:31 UTC
amd64 stable
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-15 18:11:57 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-03-17 17:39:38 UTC
alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable
Comment 11 Sean Amoss gentoo-dev Security 2012-03-17 19:48:27 UTC
Thanks, everyone. 

Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-03-22 18:41:23 UTC
CVE-2012-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1165):
  The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
  0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) via a crafted
  S/MIME message, a different vulnerability than CVE-2006-7250.

CVE-2012-0884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0884):
  The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
  OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
  certain oracle behavior, which makes it easier for context-dependent
  attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen
  ciphertext attack.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:27:42 UTC
This issue was resolved and addressed in
 GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml
by GLSA coordinator Chris Reffett (creffett).