Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537108 (CVE-2015-1182) - net-libs/polarssl: Remote attack using crafted certificates (CVE-2015-1182)
Summary: net-libs/polarssl: Remote attack using crafted certificates (CVE-2015-1182)
Status: RESOLVED FIXED
Alias: CVE-2015-1182
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2018-01-14
Assignee: Gentoo Security
URL: https://polarssl.org/tech-updates/sec...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: 618354
  Show dependency tree
 
Reported: 2015-01-20 08:40 UTC by Robert Sebastian Gerus
Modified: 2018-01-15 04:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Sebastian Gerus 2015-01-20 08:40:22 UTC
PolarSSL versions 1.0 and up are vulnerable to a DoS and possibly remote code execution attacks.
A single-line fix corrects the issue.
Upstream didn't release a new version.

Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-01-28 11:20:07 UTC
From ${URL}:
PolarSSL versions starting with 1.0 and up to the PolarSSL 1.3.9 and PolarSSL 1.2.12 are affected by a remote attack in some configurations.
...

Not affected 	Servers not asking for client certificates
Impact 	Denial of service and possible remote code execution

--

A potential patch is included in ${URL}
Comment 2 Julian Ospald 2015-02-08 15:45:40 UTC
can't believe this is still unfixed in the tree

for everyone who cares:
https://github.com/hasufell/prism-overlay/commit/f9a311ab618345e47bc5789f1573e85600c27d60
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2015-02-09 23:22:40 UTC
This is fixed in [0], polarssl was rebranded c.f. [1]

References:
[0] https://polarssl.org/tech-updates/releases/mbedtls-1.3.10-released
[1] http://community.arm.com/groups/internet-of-things/blog/2015/02/09/polarssl-is-dead-long-live-mbed-tls
Comment 4 Julian Ospald 2015-02-10 03:05:56 UTC
mbedtls has a different library name, but will cause file conflicts with polarssl (for includes)

as such it will break "polarssl" support everywhere

I fixed curl to build against mbedtls, but it broke https support completely, although it _seems_ to be API compatible.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 18:11:54 UTC
CVE-2015-1182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1182):
  The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0
  through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a
  pointer in the asn1_sequence linked list, which allows remote attackers to
  cause a denial of service (crash) or possibly execute arbitrary code via a
  crafted ASN.1 sequence in a certificate.
Comment 6 Julian Ospald 2015-08-14 23:50:12 UTC
mbedtls is in the tree btw, it is a completely new library (in terms of file names) now https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76bfad464c6c12a293099a923b31641e19fc3fb2
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 17:11:53 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-14 18:44:17 UTC
Any news on this since it is a new year?
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2016-04-23 04:42:22 UTC
There is version 1.3.9-r1 that is currently in tree but not stable. Does it contain the fix for this.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2016-06-05 23:29:10 UTC
Thomas,

Can you lease take a look and provide an answer for this security bug?
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2016-08-10 16:19:34 UTC
This has been around for a while. Do we want to depreciate Polarssl and migrate over to  mbedtls?

We need to either fix this package (B2 vulnerability) or depreciate it and migrate the dependences over.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2016-09-07 05:18:06 UTC
Tommy:
Please advise on this package. We will have to start the process to remove from tree.
Comment 13 Thomas Sachau gentoo-dev 2016-09-26 07:32:58 UTC
I will test the remaining packages depending on polarssl against mbedtls. Based on the results we might either do a package move or have to switch each package separatly after updating it to support mbedtls.

This means polarssl will either be (pkg)moved out of the tree or treecleaned after depending packages have been updated.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2016-11-06 05:19:59 UTC
(In reply to Thomas Sachau from comment #13)
> This means polarssl will either be (pkg)moved out of the tree or treecleaned
> after depending packages have been updated.

Thank you for the reply ... setting to glsa? / cleanup.
Please let us now which you are going to choose so we can release the appropriate GLSA.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-24 10:23:35 UTC
(In reply to Thomas Sachau from comment #13)
> I will test the remaining packages depending on polarssl against mbedtls.
> Based on the results we might either do a package move or have to switch
> each package separatly after updating it to support mbedtls.
> 
> This means polarssl will either be (pkg)moved out of the tree or treecleaned
> after depending packages have been updated.

Packages still depend on polarssl:

media-sound/umurmur-0.2.16a (polarssl ? >=net-libs/polarssl-1.0.0)
media-sound/umurmur-0.2.16a-r1 (polarssl ? >=net-libs/polarssl-1.0.0)
media-video/rtmpdump-2.4_p20131018 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
media-video/rtmpdump-2.4_p20161210 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
media-video/rtmpdump-9999 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
net-misc/curl-7.50.3 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
net-misc/curl-7.51.0 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
net-misc/curl-7.52.1-r1 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?])
net-misc/openvpn-2.3.12 (polarssl ? >=net-libs/polarssl-1.3.8)
net-misc/openvpn-2.3.14 (polarssl ? >=net-libs/polarssl-1.3.8)
sys-fs/dislocker-0.5.2 (net-libs/polarssl)
sys-fs/dislocker-0.6.1 (net-libs/polarssl)
sys-fs/dislocker-9999 (net-libs/polarssl)
www-servers/hiawatha-9.8 (>=net-libs/polarssl-1.3[threads])

Is there a plan to remove polarssl in favor of net-libs/mbedtls?
Comment 16 Thomas Sachau gentoo-dev 2017-05-13 13:52:27 UTC
I have checked the remaining packages depending on polarssl and have opened bugs for each of them. Bug 618354 is the tracker bug for them.
Comment 17 D'juan McDonald (domhnall) 2017-10-19 11:17:03 UTC
(In reply to Yury German from comment #14)
>Thank you for the reply ... setting to glsa? / cleanup.
>Please let us now which you are going to choose so we can release the >appropriate 
>GLSA.


Whiteboard changed.
Comment 18 Thomas Deutschmann gentoo-dev Security 2017-11-04 20:42:04 UTC
Tracker bug seems to be ready. CI run for removal test: https://github.com/gentoo/gentoo/pull/6124
Comment 19 Thomas Deutschmann gentoo-dev Security 2017-12-14 19:08:14 UTC
PMASKED for removal via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abf9e2ef8f4367976f00e2dfe13861ab30d427ab
Comment 20 Larry the Git Cow gentoo-dev 2018-01-15 04:15:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b01ba5b1c17186f40b54490d8f901211167da49a

commit b01ba5b1c17186f40b54490d8f901211167da49a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-15 04:13:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-15 04:13:05 +0000

    net-libs/polarssl: Removal
    
    Closes: https://github.com/gentoo/gentoo/pull/6124
    Closes: https://bugs.gentoo.org/503782
    Bug: https://bugs.gentoo.org/537108
    Bug: https://bugs.gentoo.org/618354
    Bug: https://bugs.gentoo.org/503604

 net-libs/polarssl/Manifest                         |  1 -
 .../files/polarssl-1.3.9-respect-cflags.patch      | 15 ----
 net-libs/polarssl/metadata.xml                     | 18 ----
 net-libs/polarssl/polarssl-1.3.9-r1.ebuild         | 95 ----------------------
 net-libs/polarssl/polarssl-1.3.9.ebuild            | 92 ---------------------
 profiles/default/linux/package.use.mask            |  4 -
 profiles/package.mask                              |  6 --
 7 files changed, 231 deletions(-)}
Comment 21 Thomas Deutschmann gentoo-dev Security 2018-01-15 04:19:12 UTC
Package was removed. Waiting for final GLSA.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2018-01-15 04:28:27 UTC
This issue was resolved and addressed in
 GLSA 201801-15 at https://security.gentoo.org/glsa/201801-15
by GLSA coordinator Thomas Deutschmann (whissi).