PolarSSL versions 1.0 and up are vulnerable to a DoS and possibly remote code execution attacks. A single-line fix corrects the issue. Upstream didn't release a new version. Reproducible: Always
From ${URL}: PolarSSL versions starting with 1.0 and up to the PolarSSL 1.3.9 and PolarSSL 1.2.12 are affected by a remote attack in some configurations. ... Not affected Servers not asking for client certificates Impact Denial of service and possible remote code execution -- A potential patch is included in ${URL}
can't believe this is still unfixed in the tree for everyone who cares: https://github.com/hasufell/prism-overlay/commit/f9a311ab618345e47bc5789f1573e85600c27d60
This is fixed in [0], polarssl was rebranded c.f. [1] References: [0] https://polarssl.org/tech-updates/releases/mbedtls-1.3.10-released [1] http://community.arm.com/groups/internet-of-things/blog/2015/02/09/polarssl-is-dead-long-live-mbed-tls
mbedtls has a different library name, but will cause file conflicts with polarssl (for includes) as such it will break "polarssl" support everywhere I fixed curl to build against mbedtls, but it broke https support completely, although it _seems_ to be API compatible.
CVE-2015-1182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1182): The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
mbedtls is in the tree btw, it is a completely new library (in terms of file names) now https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76bfad464c6c12a293099a923b31641e19fc3fb2
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Any news on this since it is a new year?
There is version 1.3.9-r1 that is currently in tree but not stable. Does it contain the fix for this.
Thomas, Can you lease take a look and provide an answer for this security bug?
This has been around for a while. Do we want to depreciate Polarssl and migrate over to mbedtls? We need to either fix this package (B2 vulnerability) or depreciate it and migrate the dependences over.
Tommy: Please advise on this package. We will have to start the process to remove from tree.
I will test the remaining packages depending on polarssl against mbedtls. Based on the results we might either do a package move or have to switch each package separatly after updating it to support mbedtls. This means polarssl will either be (pkg)moved out of the tree or treecleaned after depending packages have been updated.
(In reply to Thomas Sachau from comment #13) > This means polarssl will either be (pkg)moved out of the tree or treecleaned > after depending packages have been updated. Thank you for the reply ... setting to glsa? / cleanup. Please let us now which you are going to choose so we can release the appropriate GLSA.
(In reply to Thomas Sachau from comment #13) > I will test the remaining packages depending on polarssl against mbedtls. > Based on the results we might either do a package move or have to switch > each package separatly after updating it to support mbedtls. > > This means polarssl will either be (pkg)moved out of the tree or treecleaned > after depending packages have been updated. Packages still depend on polarssl: media-sound/umurmur-0.2.16a (polarssl ? >=net-libs/polarssl-1.0.0) media-sound/umurmur-0.2.16a-r1 (polarssl ? >=net-libs/polarssl-1.0.0) media-video/rtmpdump-2.4_p20131018 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) media-video/rtmpdump-2.4_p20161210 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) media-video/rtmpdump-9999 (!gnutls ? >=net-libs/polarssl-1.3.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) net-misc/curl-7.50.3 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) net-misc/curl-7.51.0 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) net-misc/curl-7.52.1-r1 (curl_ssl_polarssl ? net-libs/polarssl:0[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]) net-misc/openvpn-2.3.12 (polarssl ? >=net-libs/polarssl-1.3.8) net-misc/openvpn-2.3.14 (polarssl ? >=net-libs/polarssl-1.3.8) sys-fs/dislocker-0.5.2 (net-libs/polarssl) sys-fs/dislocker-0.6.1 (net-libs/polarssl) sys-fs/dislocker-9999 (net-libs/polarssl) www-servers/hiawatha-9.8 (>=net-libs/polarssl-1.3[threads]) Is there a plan to remove polarssl in favor of net-libs/mbedtls?
I have checked the remaining packages depending on polarssl and have opened bugs for each of them. Bug 618354 is the tracker bug for them.
(In reply to Yury German from comment #14) >Thank you for the reply ... setting to glsa? / cleanup. >Please let us now which you are going to choose so we can release the >appropriate >GLSA. Whiteboard changed.
Tracker bug seems to be ready. CI run for removal test: https://github.com/gentoo/gentoo/pull/6124
PMASKED for removal via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abf9e2ef8f4367976f00e2dfe13861ab30d427ab
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b01ba5b1c17186f40b54490d8f901211167da49a commit b01ba5b1c17186f40b54490d8f901211167da49a Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-15 04:13:05 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-15 04:13:05 +0000 net-libs/polarssl: Removal Closes: https://github.com/gentoo/gentoo/pull/6124 Closes: https://bugs.gentoo.org/503782 Bug: https://bugs.gentoo.org/537108 Bug: https://bugs.gentoo.org/618354 Bug: https://bugs.gentoo.org/503604 net-libs/polarssl/Manifest | 1 - .../files/polarssl-1.3.9-respect-cflags.patch | 15 ---- net-libs/polarssl/metadata.xml | 18 ---- net-libs/polarssl/polarssl-1.3.9-r1.ebuild | 95 ---------------------- net-libs/polarssl/polarssl-1.3.9.ebuild | 92 --------------------- profiles/default/linux/package.use.mask | 4 - profiles/package.mask | 6 -- 7 files changed, 231 deletions(-)}
Package was removed. Waiting for final GLSA.
This issue was resolved and addressed in GLSA 201801-15 at https://security.gentoo.org/glsa/201801-15 by GLSA coordinator Thomas Deutschmann (whissi).