Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263751 (CVE-2009-0590) - <dev-libs/openssl-0.9.8k: Denial of Service (CVE-2009-0590)
Summary: <dev-libs/openssl-0.9.8k: Denial of Service (CVE-2009-0590)
Status: RESOLVED FIXED
Alias: CVE-2009-0590
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.openssl.org/news/secadv_20...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-25 16:54 UTC by Alex Legler (RETIRED)
Modified: 2009-04-07 10:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-25 16:54:01 UTC
Quoting Secunia: (upstream advisory is more verbose)

1) An error exists in the "ASN1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings. This can be exploited to trigger an access to invalid memory and cause a crash via an illegal encoded string length when e.g. printing the contents of a certificate.

2) The "CMS_verify()" function incorrectly handles an error condition when processing malformed signed attributes. This can be exploited to trick an application into considering a malformed set of signed attributes valid and skip further checks.

NOTE: This vulnerability only affects OpenSSL versions 0.9.8h and later with CMS enabled (disabled by default).
Successful exploitation requires access to a previously generated invalid signature.

3) An error when processing malformed ASN1 structures can be exploited to trigger an access to invalid memory and cause a crash via a specially crafted certificate.

NOTE: This vulnerability is only present on platforms where the size of "long" is smaller than the size of "void *" (e.g. WIN64).
Comment 1 SpanKY gentoo-dev 2009-03-25 23:34:16 UTC
0.9.8k now in the tree
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-25 23:42:45 UTC
Arches, please test and mark stable:
=dev-libs/openssl-0.9.8k
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Richard Freeman gentoo-dev 2009-03-26 00:22:45 UTC
amd64 stable

note: repoman errors on all versions of this package:
   dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 129)
   dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 130)
   dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 134)
   dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 138)
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2009-03-26 13:33:17 UTC
(In reply to comment #3)
> amd64 stable
> 
> note: repoman errors on all versions of this package:
>    dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug
> (ebuild calls emake -j1 on line: 129)
>    dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug
> (ebuild calls emake -j1 on line: 130)
>    dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug
> (ebuild calls emake -j1 on line: 134)
>    dev-libs/openssl/openssl-0.9.8k.ebuild: Upstream parallel compilation bug
> (ebuild calls emake -j1 on line: 138)
> 

I'll bite.  Does that translate into:  "Forcing 'emake -j1' because Upstream says parallel compilation fails" which is how I read it?
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2009-03-26 13:49:44 UTC
Sparc stable.  All tests run as they should.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-03-26 15:31:46 UTC
ppc and ppc64 done
Comment 7 Jeroen Roovers gentoo-dev 2009-03-26 17:10:56 UTC
Stable for HPPA.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-03-28 10:25:58 UTC
CVE-2009-0590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0590):
  The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows
  remote attackers to cause a denial of service (invalid memory access
  and application crash) via vectors that trigger printing of a (1)
  BMPString or (2) UniversalString with an invalid encoded length.

CVE-2009-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0591):
  The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is
  enabled, does not properly handle errors associated with malformed
  signed attributes, which allows remote attackers to repudiate a
  signature that originally appeared to be valid but was actually
  invalid.

CVE-2009-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0789):
  OpenSSL before 0.9.8k on WIN64 and certain other platforms does not
  properly handle a malformed ASN.1 structure, which allows remote
  attackers to cause a denial of service (invalid memory access and
  application crash) by placing this structure in the public key of a
  certificate, as demonstrated by an RSA public key.

Comment 9 Markus Meier gentoo-dev 2009-03-29 21:26:42 UTC
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-04-02 14:46:17 UTC
alpha/arm/ia64/m68k/s390/sh stable
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-04-04 13:20:41 UTC
CVE-2009-0789 does not affect Gentoo.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-04-04 13:32:41 UTC
CVE-2009-0591 does also not affect us, as we give the user no way to enable CMS.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-04-07 10:10:19 UTC
GLSA 200904-08