Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 412643 (CVE-2012-2110) - <dev-libs/openssl-{1.0.1a, 1.0.0i, 0.9.8w}: ASN1 BIO vulnerability (CVE-2012-{2110,2131})
Summary: <dev-libs/openssl-{1.0.1a, 1.0.0i, 0.9.8w}: ASN1 BIO vulnerability (CVE-2012-...
Status: RESOLVED FIXED
Alias: CVE-2012-2110
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: http://openssl.org/news/secadv_201204...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-19 14:21 UTC by Hanno Boeck
Modified: 2013-12-03 04:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2012-04-19 14:21:21 UTC
The ASN1 parsing code of openssl is affected by a security vulnerability.

Reading from the advisory, it should mostly affect CMS and not SSL/TLS.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-04-19 16:06:57 UTC
Thanks, guys.

Arches, please test and mark stable:
=dev-libs/openssl-1.0.0i
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-libs/openssl-0.9.8v
Target keywords : "amd64 x86"
Comment 3 Jeroen Roovers gentoo-dev 2012-04-19 17:22:06 UTC
Stable for HPPA.
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-19 19:22:36 UTC
x86 stable
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-19 19:41:33 UTC
amd64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2012-04-21 17:05:40 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 7 Hanno Boeck gentoo-dev 2012-04-24 09:46:47 UTC
openssl says the fix for 0.9.8 is incomplete and they've released 0.9.8w to fix it (CVE-2012-2131). 1.0.0 and 1.0.1 unaffected.
http://openssl.org/news/secadv_20120424.txt
Comment 8 SpanKY gentoo-dev 2012-04-24 14:54:44 UTC
Commit message: Version bump
http://sources.gentoo.org/dev-libs/openssl/openssl-0.9.8w.ebuild?rev=1.1
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 02:37:40 UTC
CVE-2012-2110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2110):
  The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before
  0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly
  interpret integer data, which allows remote attackers to conduct buffer
  overflow attacks, and cause a denial of service (memory corruption) or
  possibly have unspecified other impact, via crafted DER data, as
  demonstrated by an X.509 certificate or an RSA public key.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 02:50:12 UTC
CVE-2012-2131 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2131):
  Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL
  0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause
  a denial of service (memory corruption) or possibly have unspecified other
  impact, via crafted DER data, as demonstrated by an X.509 certificate or an
  RSA public key.  NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2012-2110.
Comment 11 Sean Amoss gentoo-dev Security 2012-04-28 02:52:50 UTC
Sorry for the bugspam here. Let's handle CVE-2012-2131 here as well.

Arches, please test and mark stable:
=dev-libs/openssl-0.9.8w
Target keywords : "amd64 x86"
Comment 12 Agostino Sarubbo gentoo-dev 2012-04-28 12:18:48 UTC
amd64 stable
Comment 13 nixnut (RETIRED) gentoo-dev 2012-04-28 18:12:37 UTC
ppc stable
Comment 14 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-29 00:36:00 UTC
x86 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2012-05-10 19:37:51 UTC
ppc64 done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2012-05-10 22:04:27 UTC
Thanks, everyone. Already in GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:27:44 UTC
This issue was resolved and addressed in
 GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml
by GLSA coordinator Chris Reffett (creffett).