Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 599358 (CVE-2016-7053, CVE-2016-7054) - dev-libs/openssl: Multiple vulnerabilities
Summary: dev-libs/openssl: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-7053, CVE-2016-7054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://mta.openssl.org/pipermail/ope...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-10 07:43 UTC by Jeroen Roovers (RETIRED)
Modified: 2016-11-10 16:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2016-11-10 07:43:03 UTC
Forthcoming OpenSSL release
===========================

The OpenSSL project team would like to announce the forthcoming release of
OpenSSL version 1.1.0c

This release will be made available on 10th November 2016 between 1200-1600
UTC and will fix several security defects.  The highest security defect
being fixed is classified as severity "High", and does not affect OpenSSL
versions prior to 1.1.0.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-10 15:02:17 UTC
Only affects OpenSSL 1.1.0 that is not in stable and is masked with message
373 # Lars Wendler <polynomial-c@gentoo.org> (26 Aug 2016)
374 # Masked while being tested and reverse deps aren't fully compatible
375 =dev-libs/openssl-1.1*

Security as such is not tracking it and bug can be closed by maintainer once fixed


From advisory:
OpenSSL Security Advisory [10 Nov 2016]
========================================

ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
======================================================

Severity: High

TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
attack by corrupting larger payloads. This can result in an OpenSSL crash. This
issue is not considered to be exploitable beyond a DoS.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

This issue was reported to OpenSSL on 25th September 2016 by Robert
Święcki (Google Security Team), and was found using honggfuzz. The fix
was developed by Richard Levitte of the OpenSSL development team.

CMS Null dereference (CVE-2016-7053)
====================================

Severity: Moderate

Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
callback if an attempt is made to free certain invalid encodings. Only CHOICE
structures using a callback which do not handle NULL value are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

This issue was reported to OpenSSL on 12th October 2016 by Tyler Nighswander of
ForAllSecure. The fix was developed by Stephen Henson of the OpenSSL
development team.

Montgomery multiplication may produce incorrect results (CVE-2016-7055)
=======================================================================

Severity: Low

There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low
severity of this defect we are not issuing a new 1.0.2 release at this time.
We recommend that 1.0.2 users wait for the next 1.0.2 release for the fix to
become available. The fix is also available in the OpenSSL git repository in
commit 57c4b9f6a2.

This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case. The fix was developed by Andy Polyakov of
the OpenSSL development team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20161110.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-10 15:42:02 UTC
commit 36cc74ed2bb0a39bf145fee0fdec4efc9094fe31
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Nov 10 16:40:07 2016

    dev-libs/openssl: Security bump to version 1.1.0c (bug #599358).

    Package-Manager: portage-2.3.2