A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service) of the application using the library. The vulnerability is caused due to a NULL-pointer dereference error in the "mime_hdr_cmp()" function (crypto/asn1/asn_mime.c) when parsing certain MIME headers and can be exploited to cause a crash. The vulnerability is reported in versions 0.9.7i, 0.9.8t, and 1.0.0g. Other versions may also be affected. Solution Fixed in the CVS repository. Provided and/or discovered by Reported by Mats Nilsson to the openssl-dev mailing list. Original Advisory Mats Nilsson: http://marc.info/?l=openssl-dev&m=115685408414194&w=2 OpenSSL: http://cvs.openssl.org/chngview?cn=22144
Sorry guys, this is not my fault. > Ok did some more research and here's what we got: > > First mention of this bug is in 2006: > > http://marc.info/?l=openssl-dev&m=115685408414194&w=2 > > So please use CVE-2006-7248 for this issue. Due to the Novell/kadu miss-paste this CVE needs to be re-issued. Please use CVE-2006-7250 for this OpenSSL issue.
CVE-2006-7250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7250): The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message.
openssl 1.0.0h and 0.9.8u now in the tree which should fix this
Looks like this is relevant too: OpenSSL Security Advisory [12 Mar 2012] ======================================= CMS and S/MIME Bleichenbacher attack (CVE-2012-0884) ==================================================== A weakness in the OpenSSL CMS and PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). Only users of CMS, PKCS #7, or S/MIME decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this weakness. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.0h or 0.9.8u. References ========== RFC3218 URL for this Security Advisory: http://www.openssl.org/news/secadv_20120312.txt
Arches, please test and mark stable: =dev-libs/openssl-1.0.0h Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" =dev-libs/openssl-0.9.8u Target keywords : "amd64 x86"
Stable for HPPA.
ppc and ppc64 done
amd64 stable
x86 stable
alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable
Thanks, everyone. Added to existing GLSA request.
CVE-2012-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1165): The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. CVE-2012-0884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0884): The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
This issue was resolved and addressed in GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml by GLSA coordinator Chris Reffett (creffett).