Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 494816 (CVE-2013-6449) - <dev-libs/openssl-{1.0.0m,1.0.1g}: crash when using TLS 1.2 (CVE-2013-{6449,6450})
Summary: <dev-libs/openssl-{1.0.0m,1.0.1g}: crash when using TLS 1.2 (CVE-2013-{6449,6...
Status: RESOLVED FIXED
Alias: CVE-2013-6449
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://rt.openssl.org/Ticket/Display....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-20 10:29 UTC by Agostino Sarubbo
Modified: 2014-12-26 01:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-20 10:29:06 UTC
From ${URL} :

A flaw was reported for OpenSSL 1.0.1e, that can cause application using OpenSSL to crash when using TLS 
version 1.2.  Issue was reported via the following OpenSSL upstream ticket:

http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest

and also as bug for Apache Traffic Server:

https://issues.apache.org/jira/browse/TS-2355

Fix is now committed in upstream git:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926

Related to the above ticket, upstream also added this fix to improve error checks in OpenSSL:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 01:49:22 UTC
CVE-2013-6449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6449):
  The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
  obtains a certain version number from an incorrect data structure, which
  allows remote attackers to cause a denial of service (daemon crash) via
  crafted traffic from a TLS 1.2 client.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-28 06:33:28 UTC
Please advise when ready for stabilization.
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-04 21:19:59 UTC
from https://bugzilla.redhat.com/show_bug.cgi?id=1047840 :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6450 to the following vulnerability:

The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

Upstream commit:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-01-05 02:58:02 UTC
CVE-2013-6450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6450):
  The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
  through 1.0.1e does not properly maintain data structures for digest and
  encryption contexts, which might allow man-in-the-middle attackers to
  trigger the use of a different context by interfering with packet delivery,
  related to ssl/d1_both.c and ssl/t1_enc.c.
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2014-09-04 10:52:13 UTC
From https://www.openssl.org/news/vulnerabilities.html#2013-6449:

CVE-2013-6449: 14th December 2013

    A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions. Reported by Ron Barber. 

    Fixed in OpenSSL 1.0.1f (git commit) (Affected 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) 

CVE-2013-6450: 13th December 2013

    A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. Reported by Dmitry Sobinov. 

    Fixed in OpenSSL 1.0.1f (git commit) (Affected 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) 
    Fixed in OpenSSL 1.0.0l (Affected 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
##
Vulnerable versions have already been been stabilized and cleaned up, GLSA request created.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 01:13:57 UTC
This issue was resolved and addressed in
 GLSA 201412-39 at http://security.gentoo.org/glsa/glsa-201412-39.xml
by GLSA coordinator Sean Amoss (ackle).