Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581234 (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176) - <dev-libs/openssl-1.0.2h: Multiple vulnerabilities (CVE-2016-{2105,2106,2107,2108,2109,2176})
Summary: <dev-libs/openssl-1.0.2h: Multiple vulnerabilities (CVE-2016-{2105,2106,2107,...
Status: RESOLVED FIXED
Alias: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
: 635586 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-04-26 08:55 UTC by Agostino Sarubbo
Modified: 2019-04-27 19:00 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-26 08:55:59 UTC
From ${URL} :

An input validation flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO 
(OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO 
input could be forced to allocate an excessive amount of data, potentially resulting in a denial of 
service.

Upstream commit:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=c62981390d6cf9e3d612c489b8b77c2913b25807


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2016-05-03 14:36:39 UTC
OpenSSL Security Advisory [3rd May 2016]
========================================

Memory corruption in the ASN.1 encoder (CVE-2016-2108)
======================================================

Severity: High

This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released
as part of the June 11th 2015 security releases. The security impact
of the bug was not known at the time.

In previous versions of OpenSSL, ASN.1 encoding the value zero
represented as a negative integer can cause a buffer underflow
with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
not normally create "negative zeroes" when parsing ASN.1 input, and
therefore, an attacker cannot trigger this bug.

However, a second, independent bug revealed that the ASN.1 parser
(specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
as a negative zero value. Large universal tags are not present in any
common ASN.1 structures (such as X509) but are accepted as part of ANY
structures.

Therefore, if an application deserializes untrusted ASN.1 structures
containing an ANY field, and later reserializes them, an attacker may
be able to trigger an out-of-bounds write. This has been shown to
cause memory corruption that is potentially exploitable with some
malloc implementations.

Applications that parse and re-encode X509 certificates are known to
be vulnerable. Applications that verify RSA signatures on X509
certificates may also be vulnerable; however, only certificates with
valid signatures trigger ASN.1 re-encoding and hence the
bug. Specifically, since OpenSSL's default TLS X509 chain verification
code verifies the certificate chain from root to leaf, TLS handshakes
could only be targeted with valid certificates issued by trusted
Certification Authorities.

OpenSSL 1.0.2 users should upgrade to 1.0.2c
OpenSSL 1.0.1 users should upgrade to 1.0.1o

This vulnerability is a combination of two bugs, neither of which
individually has security impact. The first bug (mishandling of
negative zero integers) was reported to OpenSSL by Huzaifa Sidhpurwala
(Red Hat) and independently by Hanno Böck in April 2015. The second
issue (mishandling of large universal tags) was found using libFuzzer,
and reported on the public issue tracker on March 1st 2016. The fact
that these two issues combined present a security vulnerability was
reported by David Benjamin (Google) on March 31st 2016. The fixes were
developed by Steve Henson of the OpenSSL development team, and David
Benjamin.  The OpenSSL team would also like to thank Mark Brand and
Ian Beer from the Google Project Zero team for their careful analysis
of the impact.

The fix for the "negative zero" memory corruption bug can be
identified by commits

3661bb4e7934668bd99ca777ea8b30eedfafa871 (1.0.2)
and
32d3b0f52f77ce86d53f38685336668d47c5bdfe (1.0.1)

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
======================================================

Severity: High

A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 13th of April 2016 by Juraj
Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx
of the OpenSSL development team.

EVP_EncodeUpdate overflow (CVE-2016-2105)
=========================================

Severity: Low

An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.

Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the OpenSSL
command line applications. These internal uses are not considered vulnerable
because all calls are bounded with length checks so no overflow is possible.
User applications that call these APIs directly with large amounts of untrusted
data may be vulnerable. (Note: Initial analysis suggested that the
PEM_write_bio* were vulnerable, and this is reflected in the patch commit
message. This is no longer believed to be the case).

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

EVP_EncryptUpdate overflow (CVE-2016-2106)
==========================================

Severity: Low

An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is
able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption. Following an analysis of all OpenSSL internal
usage of the EVP_EncryptUpdate() function all usage is one of two forms.
The first form is where the EVP_EncryptUpdate() call is known to be the first
called function after an EVP_EncryptInit(), and therefore that specific call
must be safe. The second form is where the length passed to EVP_EncryptUpdate()
can be seen from the code to be some small value and therefore there is no
possibility of an overflow. Since all instances are one of these two forms, it
is believed that there can be no overflows in internal code due to this problem.
It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in
certain code paths. Also EVP_CipherUpdate() is a synonym for
EVP_EncryptUpdate(). All instances of these calls have also been analysed too
and it is believed there are no instances in internal usage where an overflow
could occur.

This could still represent a security issue for end user code that calls this
function directly.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 3rd March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

ASN.1 BIO excessive memory allocation (CVE-2016-2109)
=====================================================

Severity: Low

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.

Any application parsing untrusted data through d2i BIO functions is affected.
The memory based functions such as d2i_X509() are *not* affected. Since the
memory based functions are used by the TLS library, TLS applications are not
affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 4th April 2016 by Brian Carpenter.
The fix was developed by Stephen Henson of the OpenSSL development team.

EBCDIC overread (CVE-2016-2176)
===============================

Severity: Low

ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result in
arbitrary stack data being returned in the buffer.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 5th March 2016 by Guido Vranken. The
fix was developed by Matt Caswell of the OpenSSL development team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160503.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-05-03 14:37:42 UTC
Arches, please stabilize
=dev-libs/openssl-1.0.2h
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers gentoo-dev 2016-05-04 05:17:06 UTC
Stable for PPC64.
Comment 4 Jeroen Roovers gentoo-dev 2016-05-04 05:33:14 UTC
Stable for HPPA.
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2016-05-04 06:39:04 UTC
commit 4a10a40c184baf55907db21f75a7e7b6969c1760
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed May 4 08:32:18 2016

    dev-libs/openssl: Stable for amd64 (bug #581234)
    
    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2016-05-04 07:38:56 UTC
commit 5246a7ffbb18b421cde86db8e5cf2ea4e83f430b
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed May 4 09:37:15 2016

    dev-libs/openssl: Stable for x86 (bug #581234).
    
    Package-Manager: portage-2.2.28
    RepoMan-Options: --include-arches="x86"
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 7 Markus Meier gentoo-dev 2016-05-12 17:16:15 UTC
arm stable
Comment 8 Tobias Klausmann gentoo-dev 2016-05-20 18:46:37 UTC
Stable on alpha.
Comment 9 SpanKY gentoo-dev 2016-05-24 19:30:16 UTC
done all the rest now
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2016-06-06 21:29:42 UTC
Arches, Thank you for your work.
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2016-09-07 01:04:44 UTC
Maintainers please drop:
1.0.2g-r2
1.0.2h
1.0.2h-r1
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2016-10-31 05:01:12 UTC
Reminder please cleanup or mask the versions mentioned
Comment 13 Lars Wendler (Polynomial-C) gentoo-dev 2016-10-31 07:12:30 UTC
commit 246f6b0590667adffa8967d9ba41bc993119a553
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 31 08:10:08 2016

    dev-libs/openssl: Removed vulnerable versions.

    Package-Manager: portage-2.3.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-12-07 10:27:17 UTC
This issue was resolved and addressed in
 GLSA 201612-16 at https://security.gentoo.org/glsa/201612-16
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 19:00:18 UTC
*** Bug 635586 has been marked as a duplicate of this bug. ***